Professional Documents
Culture Documents
Muragan Thesis
Muragan Thesis
Since their appearance in 1970 in the form of ALOHANET, wireless packet radio networks
have come a long way in terms of numbers, applications, and the feature set, among other
things. The two largest attractions of wireless communication have been mobility and ease
of deployment laying cables is not only laborious and time consuming, but their
maintenance is equally bothersome. Wireless communication today surrounds us in many
colors and flavors, each with its unique frequency band, coverage, and range of
applications. It has matured to a large extent, and standards have evolved for Personal Area
Networks, Local Area Networks as well as Broadband Wireless Access.
nodes.
APs
are
like
base
stations
which
keep
track
of
nodes
associations/disassociations, authentication etc. and control the traffic flow between their
clients as well as between fellow APs. The AP may also be connected to the Internet
thereby providing Internet connectivity to its clients.
A very attractive and promising category of wireless networks that has emerged is based on
an Ad Hoc topology; these networks are called Wireless Ad Hoc Networks. The term
wireless network implies a computer network in which the communication links are
wireless. The term Ad Hoc comes from the fact that there is no fixed infrastructure for
forwarding/ routing the packets. Figure 1.1 [2] shows an infrastructure-based and an Ad
Hoc wireless network.
Network
BSS #1
AP
Client
AP
Client
Client
Node 1
Node 2
Node 1
BSS #2
Node 2
to be a perfect circle and the links in fact can even be unidirectional in many cases node
A can reach node B on link 1 but node B may not be able to use this link to reach node
A. This can happen due to the signal strengths of the two transmitters being unequal or
can even be based on the transmission path.
In Ad Hoc networks, each node is willing to forward data to other nodes, and so the
determination of which nodes forward data is made dynamically based on the network
connectivity. This is in contrast to the infrastructure-based networks in which designated
nodes, usually with custom hardware and variously known as routers, switches, hubs, and
firewalls, perform the task of forwarding the data. Minimal configuration and quick
deployment make Ad Hoc networks suitable for emergency situations like natural or
human-induced disasters, military conflicts, emergency medical situations etc. An Ad Hoc
network is formed for a purpose by participating wireless nodes and is then torn off.
These networks introduced a new art of network establishment and are well suited for
environments where either the infrastructure is lost or where deploying an infrastructure is
not cost-effective.
The first generation of wireless Ad Hoc networks dates back to 1972. At the time, they
were called PRNET (Packet Radio Networks). In conjunction with ALOHA and CSMA
3
(Carrier Sense Multiple Access), approaches for medium access control and a kind of
distance-vector routing, PRNET were used on a trial basis to provide different networking
capabilities in a combat environment.
The second generation [6] of Ad hoc networks emerged in 1980s, when the ad-hoc network
systems were further enhanced and implemented as a part of the SURAN (Survivable
Adaptive Radio Networks) program. This provided a packet-switched network to the
mobile battlefield in an environment without infrastructure. This program proved to be
beneficial in improving the radios' performance by making them smaller, cheaper, and
resilient to electronic attacks.
In the 1990s, the concept of commercial ad-hoc networks [6] arrived with notebook
computers and other viable communications equipment. At the same time, the idea of a
collection of mobile nodes was proposed at several research conferences.
The IEEE 802.11 [7] subcommittee had adopted the term "ad-hoc networks" and the
research community had started to look into the possibility of deploying ad-hoc networks in
other areas of application.
Meanwhile, work was going on to advance the previously built ad-hoc networks. GloMo
[8] (Global Mobile Information Systems) and the NTDR (Near-term Digital Radio) are
results of these efforts. GloMo was designed to provide an office environment with
Ethernet-type multimedia connectivity anywhere and anytime in handheld devices.
NTDR [9] is the only "real" non-prototypical ad-hoc network that is in use today. It uses
clustering and link-state routing, and is self-organized into a two-tier ad-hoc network.
4
Development of different channel access approaches now in the CSMA/CA and TDMA
molds, and several other routing and topology control mechanisms were some of the other
inventions of that time.
Later on in mid-1990s, within the Internet Engineering Task Force (IETF), the Mobile AdHoc Networking working group was formed to standardize routing protocols for ad-hoc
networks. The development of routing within the working group and the larger community
resulted in the invention of reactive and proactive routing protocols.
Soon after, the IEEE 802.11 subcommittee standardized a medium access protocol that was
based on collision avoidance and tolerated hidden terminals, making it usable for building
mobile ad-hoc networks prototypes out of notebooks and 802.11 PCMCIA (Personal
Computer Memory Card International Association cards). Wireless local area products
(IEEE 802.11, Hiperlan) provide in-building wireless access; however, they are usually
deployed as access links only, packet relaying being performed by traditional bridges or
routers. Bluetooth is a low cost technology for short range communication; its market is
targeted towards PCs, phones, appliances, watches, etc. It allows multiple nodes to connect
to each other in a multi-hop arrangement.
Efforts are on to standardize different existing schemes for different network controls in a
single framework which could be taken as a standard for all the future applications utilizing
ad-hoc networks as a networking technology. Wireless devices are getting smaller, cheaper,
and more sophisticated. As these devices become more ubiquitous, organizations are
looking for inexpensive ways to keep these devices connected. Building an ad-hoc network
could make that happen.
5
Wireless Ad Hoc Networks can broadly be classified into three categories: Mobile ad-hoc
networks (MANETs), Wireless Sensor Networks, and Wireless Mesh Networks. Each one
of these has significance for different application areas; each of these differs in the capacity
and capabilities of nodes that participate in the network, the purpose of the network and the
communication protocols employed. The focus of this thesis is MANETs; from this point
onwards, the words MANETs and Wireless Ad Hoc Networks will be used
interchangeably.
notice, making it difficult to have a clear picture of the Ad Hoc network membership. In
such an environment, there is no guarantee that a path between two nodes would be free of
malicious nodes. These nodes would not comply with the employed protocol and would
attempt to harm the network operation. The presence of even a small number of adversarial
nodes could cause the entire network to collapse.
in use, thereby reducing the burden on the network when only a small subset of all
available routes is in use at any time. However, they still have some inherent limitations.
First, since routes are only maintained while in use, it is typically required to perform a
route discovery before packets can be exchanged between communication peers. This leads
to a delay for the first packet to be transmitted. Second, even though route maintenance for
reactive algorithms is restricted to the routes currently in use, it may still generate a
significant amount of network traffic when the topology of the network changes frequently.
Finally, packets en route to the destination are likely to be lost if the route to the destination
changes.
Hybrid Ad Hoc routing protocols such as ZRP combine local proactive routing and global
reactive routing in order to achieve a higher level of efficiency and scalability. However,
even a combination of both strategies still needs to maintain at least those network paths
that are currently in use, limiting the amount of topological changes that can be tolerated
within a given amount of time.
Position-based routing algorithms eliminate some of the limitations of topology-based
routing by using additional information. They require that information about the physical
position of the participating nodes be available. Commonly, each node determines its own
position through the use of GPS or some other type of positioning service. A location
service is used by the sender of a packet to determine the position of the destination and to
include it in the packets destination address.
The routing decision at each node is then based on the destinations position contained in
the packet and the position of the forwarding nodes neighbors. Position-based routing thus
8
does not require the establishment or maintenance of routes. The nodes have neither to
store routing tables nor to transmit messages to keep routing tables up to date. As a further
advantage, position-based routing supports the delivery of packets to all nodes in a given
geographic region in a natural way. This type of service is called geocasting.
Regardless of the approach to routing, a routing protocol should be able to automatically
recover from any problem in a finite amount of time without human intervention.
Conventional routing protocols are designed for nonmoving infrastructures and assume that
routes are bidirectional, which is not always the case for ad-hoc networks. Identification of
mobile terminals and correct routing of packets to and from each terminal while moving
are certainly challenging.
DSDV requires each node to periodically broadcast routing updates. The key advantage of
DSDV over traditional distance vector protocols is that it guarantees loop-freedom.
Each DSDV node maintains a routing table listing the next hop for each reachable
destination. DSDV tags each route with a sequence number and considers a route R1 more
favorable than R2 if R1 has a greater sequence number, or if the two routes have equal
sequence numbers but R has a lower metric. Each node in the network advertises a
monotonically increasing even sequence number for itself. When a node B decides that its
route to a destination D has broken, it advertises the route to D with an infinite metric and a
sequence number one greater than its sequence number for the route that has broken
(making an odd sequence number). This causes any node A routing packets through B
to incorporate the infinite-metric route into its routing table until node A hears a route to
D with a higher sequence number.
The structure of the routing table for this protocol is simple. Each table entry has a
sequence number that is incremented every time a node sends an updated message. Routing
tables are periodically updated when the topology of the network changes and are
propagated throughout the network to keep consistent information throughout the network.
Each DSDV [12] node maintains two routing tables: one for forwarding packets and one
for advertising incremental routing packets. The routing information sent periodically by a
node contains a new sequence number, the destination address, the number of hops to the
destination node, and the sequence number of the destination. When the topology of a
network changes, a detecting node sends an update packet to its neighboring nodes.
10
through the network, each node that receives the UPDATE sets its height to a value greater
than the height of the neighbor from which the UPDATE was received. This has the effect
of creating a series of directed links from the original sender of the QUERY to the node that
initially generated the UPDATE.
When a node discovers that a route to a destination is no longer valid, it adjusts its height
so that it is a local maximum with respect to its neighbors and transmits an UPDATE
packet. If the node has no neighbors of finite height with respect to this destination, then
the node instead attempts to discover a new route as described above. When a node detects
a network partition, it generates a CLEAR packet that resets routing state and removes
invalid routes from the network. TORA is layered on top of IMEP, the Internet MANETs.
Encapsulation Protocol, which is required to provide reliable, in-order delivery of all
routing control messages from a node to each of its neighbors, plus notification to the
routing protocol whenever a link to one of its neighbors is created or broken. To reduce
overhead, IMEP attempts to aggregate many TORA and IMEP control messages (which
IMEP refers to as objects) together into a single packet (as an object block) before
transmission. Each block carries a sequence number and a response list of other nodes from
which an ACK has not yet been received, and only those nodes ACK the block when
receiving it; IMEP retransmits each block with some period, and continues to retransmit it
if needed for some maximum total period, after which time, the link to each
unacknowledged node is declared down and TORA is notified. IMEP can also provide
network layer address resolution, but we did not use this service, as we used ARP [19] with
all four routing protocols. For link status sensing and maintaining a list of a nodes
13
14
Each node that forwards the ROUTE REQUEST creates a reverse route for itself back to
node S; after accepting a RREQ message, the destination or intermediate node updates its
reverse route to the source node using the neighbor from which it receives the RREQ
message. The reverse route will be used to send the corresponding Route Reply (RREP)
message to the source node when the ROUTE REQUEST reaches a node with a route to
D, that node generates a ROUTE REPLY that contains the number of hops necessary to
reach D and the sequence number for D most recently seen by the node generating the
REPLY. Meanwhile, it updates the sequence number of the source node in its routing table
to the maximum of the one in its routing table and the one in the RREQ message. When the
source or an intermediate node receives a RREP message, it updates its forward route to
the destination node using the neighbor from which it receives the RREP message. It also
updates the sequence number of the destination node in its routing table to the maximum of
the one in its routing table and the one in the RREP message. A Route Reply
Acknowledgement (RREP-ACK) message is used to acknowledge receipt of a RREP
message. The state created in each node along the path from S to D is hop-by-hop state;
that is, each node remembers only the next hop and not the entire route, as would be done
in source routing.
In order to maintain routes, AODV normally requires that each node periodically transmit a
HELLO message, with a default rate of once per second. Failure to receive three
consecutive HELLO messages from a neighbor is taken as an indication that the link to the
neighbor in question is down. Alternatively, the AODV specification briefly suggests that a
node may use physical layer or link layer methods to detect link breakages to nodes that it
considers neighbors. When a link goes down, any upstream node that has recently
15
Secondly the attacks can target the information itself where interception and eavesdropping
comes naturally in thought. Of the more active nature of these attacks might be the creation
of false messages injected into networks. Also the denial or degradation of network
services is a form of active attack on the information level. In this category application
level attacks such as Trojan horses or viruses and the like are also included.
The physical attacks are the third category. The passive nature of this category can be
radiation interception or inductive wiretapping. The more hands on attacks include theft of
equipment, cryptographic or physical keys, and different storage medias. Other kinds of
attacks are social engineering or as drastic as destruction using explosives or other physical
force [3].
17
being held so that someone can overhear secret information or shoulder surfing, that is,
someone reading the computer screen or keyboard from behind while entering passwords
or the like. The human nature of bad memory can also be of some help for the attacker. It is
not uncommon that individuals write down passwords and user details on post-it notes and
at a later time throw them away in garbage cans. The retrieval of this kind of information
can help attackers to guess the correct passwords to system resources. This kind of attack
has gotten the common name of dumpster diving [3].
18
itself and when the actual data packets get there they are simply dropped, forming a black
hole where data enters but never leaves.
Another possibility is for the attacker to forge routes pointing into an area where the
destination node is not located. Everything will be routed into this area but nothing will
leave also creating a sort of black hole.
Grey Hole
A special case of the black hole attack is an grey hole attack [35,6,10]. In this attack the
adversary selectively drops some kinds of packets but not other. For example the attacker
might forward routing packets but not data packets.
Partitioning
Another kind of attack is for the attacker to create a network partition in which some nodes
are split up to not being able to communicate with another set of nodes. By analysing the
network topology the attacker can choose to make the partitioning between the set of nodes
that makes the most harm into the system.
This attack can be accomplished in many kinds of ways. Both by forging routing packets as
in the previous attacks but also using some physical attack such as radio jamming.
Blackmail
Some Ad Hoc routing protocols tries to handle the security problems by keeping lists of
possibly malicious nodes. Each node has a blacklist of, what it thinks, bad nodes and
thereby avoiding using them when setting up routing paths. An attacker might try to
19
blackmail a good node causing other good nodes to add this node to their blacklists and so
avoid it.
Wormhole
In the wormhole attack an attacker uses a pair of nodes connected in some way. It can be a
special private connection or the packets are tunnelled over the Ad Hoc network. Every
packet that one of the nodes sees are forwarded to the other node which in turn broadcast
them out. This might create short circuits for the actual routing in the Ad Hoc network and
thereby create some routing problems.
Also, all the data can be selectively forwarded or not using this attack thereby controlling
the Ad Hoc network to a large extent. This kind of attack together with a partitioning attack
can gain almost complete control over the network traffic.
Rushing Attack
Many reactive routing protocols keep a sequence number for duplication suppression at
every node. An attacker can distribute a large number of route requests with increasing
sequence numbers forged to appear to be from other nodes. This way when the actual route
request is sent out many nodes suppress it as a duplicate and thereby disrupt the actual
route discovery.
Resource Consumption
By injecting extra data packets into the Ad Hoc network limited resources such as
bandwidth and maybe battery power are consumed for no reason. Even more resources
might be consumed by injecting extra control packets since these might lead to additional
20
computation. Also, the other nodes might forward control information as it comes in
resulting in even more resource consumption [4].
For devices that try to conserve battery power by only occasionally enabling their
communication device a malicious attacker might communicate in an ordinary way but
with the only intent to drain battery power. Stajano and Anderson call this resource
consumption attack sleep deprivation torture [5].
Confidentiality
Authentication
Availability
Integrity.
Non-Repudiation
Certainty of discovery
Isolation
Lightweight computations
Location.
Self
Byzantine robustness
22
routing packets, causing erroneous routing table updates and thus misrouting. Some other
security vulnerabilities of ad-hoc networks are:
Limited computational capabilities: Typically, nodes in ad-hoc networks are modular,
independent, and limited in computational capability and therefore may become a source of
vulnerability when they handle public-key cryptography during normal operation.
Limited power supply: Since nodes normally use battery as power supply, an intruder can
exhaust batteries by creating additional transmissions or excessive computations to be
carried out by nodes.
Challenging key management: Dynamic topology and movement of nodes in an Ad Hoc
network make key management difficult if cryptography is used in the routing protocol.
Even if such services were assumed, their availability would not be guaranteed, either due
to the dynamically changing topology that could easily result in a partitioned network or
due to congested links close to the node acting as a server. Furthermore, performance
issues such as delay constraints on acquiring responses from the assumed infrastructure
would pose an additional challenge.
The absence of infrastructure and the consequent absence of authorization facilities impede
the usual practice of establishing a line of defense, separating nodes into trusted and nontrusted. Such a distinction would have been based on a security policy, the possession of
the necessary credentials and the ability for nodes to validate them. In the MANETs
context, there may be no ground for an a priori classification since all nodes are required
to cooperate in supporting the network operation, while no prior security association can be
assumed for all the network nodes. Additionally, in MANETs freely roaming nodes form
transient associations with their neighbors, join and leave MANETs sub-domains
independently and without notice. Thus it may be difficult in most cases to have a clear
picture of the Ad Hoc network membership. Consequently, especially in the case of a
large-size network, no form of established trust relationships among the majority of nodes
could be assumed.
In such an environment, there is no guarantee that a path between two nodes would be free
of malicious nodes, which would not comply with the employed protocol and attempt to
harm the network operation. The mechanisms currently incorporated in MANETs routing
protocols cannot cope with disruptions due to malicious behavior. For example, any node
could claim that is one hop away from the sought destination, causing all routes to the
24
destination to pass through itself. Alternatively, a malicious node could corrupt any intransit route request (reply) packet and cause data to be misrouted.
The presence of even a small number of adversarial nodes could result in repeatedly
compromised routes, and, as a result, the network nodes would have to rely on cycles of
time-out and new route discoveries to communicate. This would incur arbitrary delays
before the establishment of a non-corrupted path, while successive broadcasts of route
requests would impose excessive transmission overhead. In particular, intentionally
falsified routing messages would result in a denial-of-service (DoS) experienced by the end
nodes. The proposed scheme have combats such types of misbehavior and safeguards the
acquisition of topological information.
disrupt network activity and avoid detection. Malicious nodes may behave maliciously only
intermittently, further complicating their detection. A node that sends out false routing
information could be the one that has been compromised, or merely one that has a
temporarily stale routing table due to volatile physical conditions. Dynamic topologies
make it difficult to obtain a global view of the network and any approximation can become
quickly outdated. Traffic monitoring in wired networks is usually performed at switches,
routers and gateways, but an Ad Hoc network does not have these types of network
elements where the IDS can collect audit data for the entire network. Network traffic can
be monitored on a wired network segment, but Ad Hoc nodes or sensors can only monitor
network traffic within its observable radio transmission range. NIST is working with the
University of Maryland Baltimore County (UMBC) to simulate, implement, and test
various MANETs IDS.
performs well at all mobility rates and movement speeds. However, we argue that their
definition of mobility (pause time) does not truly represent the dynamic topology of
MANETs. In this thesis, the work of Stamouli et al[10] has been extended and the proposed
protocol is called IDAODV(Intrusion Detection AODV).
In our work, we make use of Knowledge-based intrusion detection. Our Intrusion Detection
and Response Protocol for MANETs have been demonstrated to perform better than that
proposed in [10] in terms of false positives and percentage of packets delivered. Since the
earlier work by Stamouli et al [10] do not report true positive i.e. the detection rate, we
could not compare our results against that parameter with their method.
The implementation of the IDAODV protocol reported in this thesis has shown to work in
real life scenarios. IDAODV performs real time detection of attacks in MANETs running
AODV routing protocol. The prototype has also given some insight into the problems that
arise when trying to run real applications on an Ad Hoc network.
Experimental results validate the ability of our protocol to successfully detect both local
and distributed attacks against the AODV routing protocol, with a low number of false
positives. The algorithm also imposes a very small overhead on the nodes, which is an
important factor for the resource constrained nodes.
Motivation and problem statement is defined in this chapter. Chapter 2 discusses the
specific problem of Intrusion Detection in MANETs and reviews the methods proposed in
the literature.
We make two contributions in this thesis. The first is detection of intrusion in the form of
attacks on routing infrastructure dropping of packets and sequence number attacks. This
is described and analyzed in Chapter 3. The second type of attack is resource depletion
attack, which is describes and analyzed in Chapter 4. Conclusions are drawn in chapter 5
along with discussions of possible future extensions.
Appendix A contains the terminology and Appendix-B contains AODV implementation
for NS-2 and Appendix C contains pseudo code.
active
interfering,
impersonation,
and
denial-of-service.
Intrusion
prevention measures, such as strong authentication and redundant transmission, can be used
to address some of these attacks. However, these techniques can address only a subset of
the threats, and, moreover, are costly to implement.
The dynamic nature of Ad Hoc networks suggests that prevention techniques should be
complemented by detection techniques that monitor the security status of the network and
identify anomalous and/or malicious behavior. These techniques are usually less expensive
to implement and can be easily deployed in existing Ad Hoc networks without requiring
modifications to the nodes configuration or the routing protocols being used.
29
2.2 Motivation
Adoption of intrusion detection system is motivated by several factors, some of which are
listed below:
1. Surveys have shown that most computers are flawed by vulnerabilities, regardless
of manufacturer or purpose, that the number of security incidents is continuously
increasing, and that users and administrators are generally very slow in applying
fixes to vulnerable systems. As a consequence, many experts believe that computer
systems will never be absolutely secure.
2. Deployed security mechanisms e.g. authentication and access control may be
disabled as a consequence of misconfiguration or malicious actions.
30
3. Users of the system may abuse their privileges and perform damaging activities.
4. Even if an attack is not successful, in most cases it is useful to be aware of the
compromise attempt.
Intrusion detection systems (IDS) are software applications dedicated to detect intrusions
against a target network. IDS are designed to address the issues discussed above; they are
not intended to replace traditional security methods, but to complement and complete them.
An intrusion detection system must fulfill the following requirements [36,20]:
Accuracy: An IDS must not identify a legitimate action in a system environment as an
anomaly or a misuse (a legitimate action identified as an intrusion is called a false positive).
Performance: The performance of the IDS must be sufficient enough to carry out real-time
intrusion detection (real-time means an intrusion must be detected before significant
damage has occurred). As per the literature, this should be under a minute .
Completeness: An IDS should not fail to detect an intrusion (an undetected intrusion is
called a false negative). Arguably this requirement is rather difficult to fulfill because it is
almost impossible to have a global knowledge about past, present and future attacks. IDS
should however, minimize false negatives.
Fault-tolerance: An IDS must itself be resistant to attacks.
Scalability: An IDS must be able to process the worst-case number of events without
dropping information. This point is especially relevant for systems that correlate events
31
from difference sources at a small number of dedicated hosts. As networks grow bigger and
get faster, such nodes become overwhelmed by increasing number of events.
32
variations on those attacks. This means that this approach can be applied against known
attack patterns only, and the knowledge-base must be updated frequently.
Anomaly detection has the advantage of being able to detect attempts to exploit new and
unforeseen vulnerabilities without a priori knowledge of explicit security flaws. This
advantage is paid for in terms of the large number of false positives generated; the entire
scope of system behavior may not be covered during the learning phase and also legitimate
behavior may change over time . It also comes with the difficulty of training a system with
respect to a highly dynamic environment; obviously a finite training period is also needed.
The assumption that the system in question is free of anomaly during the training period
also may not always be true.
33
35
Besides the fields common with DSDV such as destination, metric, next hop and sequence
number, SEAD routing tables maintain a hash value for each entry. The use of one-way
hash chains using a one-way hash function H is the key feature of the proposed security
protocol.
Each node computes a list of hash values h0, h1, , hn, where hi = H(hi-1), 0 < i < n, based
on initial random value h0. The paper assumes the existence of a mechanism for
distributing hn, to all the intended receivers. If a node knows H and a trusted value hn, then
it can authenticate any other value hi, 0 < i n by successively applying the hash function
H and then comparing the result with hn.
To authenticate a route update, a node adds a hash value to each routing table entry. For a
metric j and a sequence number i, the hash value hn-mi+j is used to authenticate the routing
update entry for that sequence number, where, m-1 is the maximum network diameter.
Since an attacker cannot compute a hash value with a smaller index than the advertised
value, he is not able to advertise a route to the same destination with a greater sequence
number or with a better metric.
SEAD provides a robust protocol against attackers trying to create incorrect routing state in
other nodes by modifying the sequence number or the routing metric. SEAD does not
provide a way to prevent an attacker from tampering next hop or destination field in a
routing update. Also, it cannot prevent an attacker to use the same metric and sequence
number learnt from some recent update message for sending a new routing update to a
different destination.
37
38
39
Node Isolation: Node isolation refers to preventing a given node from communicating
with any other node in the network. It differs from Route Disruption in that Route
40
Disruption is targeting at a route with two given endpoints, while node isolation is
aiming at all possible routes.
Resource
Consumption:
Resource
consumption
refers
to
consuming
the
Denial of Service
To achieve these goals, the following misuse actions or attacks may be performed:
41
The attack can also be applied to data packets, where an inside attacker prevents a victim
node from receiving data packets from other nodes for a short period of time. The attacker
may make the following modifications after it receives a RREQ message from the victim
node: (1) Increase the RREQ ID by a small number; (2) Replace the destination IP address
with a non-existent IP address; (3) Increase the source sequence number by at least one; (4)
Set the source IP address in IP header to a non-existent IP address. The attacker then
broadcasts the forged message. When the neighbors of the attacker receive the faked RREQ
message, they update the next hop to the source node to the non-existent node, since the
faked RREQ message will have a greater source sequence number. Due to the non-existent
destination IP address, the faked message can be broadcast to the farthest nodes in the adhoc network. When other nodes want to send data packets to the source node, they will use
the routes established by the faked RREQ message, and the data packets will be dropped
due to the non-existent node. This attack, however, cannot fully isolate the victim node due
to local repair mechanisms in the AODV protocol. The other nodes will initiate another
round of route discovery if they note that the data packets cannot be delivered successfully.
In addition, the victim node
RREQ Broadcast
6
A
5
B
D
2
42
43
The attacker can modify other fields in a RREQ or RREP message. Some of these are
RREQ Message Field
Modifications
Type
RREQ ID
Hop Count
Destination IP Address
Source IP Address
one is smaller than the one in its routing table. An inside attacker may increase the
sequence numbers or decrease the hop count in a faked RREQ message to update other
nodes' routing tables, or decrease the sequence numbers or increase the hop count to
invalidate a RREQ message
The attacker can also forge an RREP message, as if it had a fresh enough route to the
destination node. By increasing the destination sequence number, the attacker may suppress
the legitimate RREP message.
3.2
Our method is based on the work presented in [10]. Like RIDAN, our method uses Finite
State Machines to enable the real-time detection of active attacks. However, RIDAN does
not offer a solution for distributed architecture to detect attacks that require more than onehop information.
The IDAODV can be characterized as an architecture models for intrusion detection in
wireless Ad Hoc networks. We call this an architecture model because it does not perform
any change in the underlying routing protocol but merely intercepts routing and application
traffic.
45
IDAODV has been implemented on top of AODV, which has recently become an Internet
standard. However, the attacks that the IDAODV is designed to detect are specific to the
AODV protocol. The process of detecting the attacks and the overall architecture can be
extended to operate with ease with other protocols like DSR.
The system follows knowledge-based technique to detect network intrusions. The fact that
it uses Finite State Machine (FSM) enables the system to detect malicious activity in realtime rather than using statistical analysis of previously captured traffic.
A finite state machine can be defined as an abstract machine consisting of a set of states
(including the initial state), a set of input events, a set of output events, and a state
transition function [25]. The function takes the current state and an input event and returns
the new set of output events and the next state. The state machine can also be viewed as a
function, which maps an ordered sequence of input events into a corresponding sequence of
output events.
The intrusion detection component operates locally in every participating node and thus its
performance depends on the network traffic. Based on the number of packets received in
any time unit, more than one FSM that are part of the intrusion detection component may
be triggered.
The FSM was constructed after studying the internal operations of the AODV routing
protocol. In order to recognize the traffic patterns occurring when a malicious attack is
performed against the routing fabric, the traffic for the protocol was analyzed in both its
static and mobile conditions.
46
3.3 Assumptions
We make the following assumptions. They are realistic and can easily be realized in a
MANETs.
o Every link between the participating nodes is bidirectional
o The MAC addresses of the participating nodes remain unchanged.
o Duplicate MAC addresses are not present.
o Network monitor is able to cover all nodes. Monitors passively listen to the routing
messages and are discussed subsequently.
o Nodes can listen to transmissions from immediate neighbors.
o All the participating nodes other than the malicious nodes have the intrusion detection
component activated.
47
Intruder
Knowledge
Base
A
Public
Network
Active
IDS
Monitor
S
Attack
48
Figure 3.3 depicts the architecture of a network monitor. Network monitors passively listen
to IDAODV routing message and detect incorrect RREQ and RREP messages.
Messages are grouped based on the request-reply flow to which they belong. A requestreply flow can be uniquely identified by the RREQ ID, the source and destination IP
addresses.
Packets
NM if needed
Updates
Forwarding Table
Session Tree
Detect Anomaly
FSM Constraints
49
A network monitor employs a finite state machine (FSM) [26] for detecting incorrect
RREQ and RREP messages [21, 27, 28, 29]. It maintains an FSM for each branch of a
request-reply flow. A request flow starts at the Source state. It transits to the RREQ
Forwarding state when a source node broadcasts the first RREQ message (with a new
REQ ID). When a forwarded broadcasting RREQ is detected, it stays in RREQ
Forwarding state unless a corresponding RREP is detected. Then if a unicast RREP is
detected, it goes to RREP Forwarding state and stays there until it reaches the source
node and the route is set up. If any suspicious activity or an anomaly is detected, it goes to
the Suspicious or Alarm states.
When an NM compares a new packet with the old corresponding packet, the primary goal
of the constraints is to make sure that the AODV header of the forwarded control packets is
not modified in an undesired manner. If an intermediate node responds to the request, the
NM will verify this response from its forwarding table as well as with the constraints in
order to make sure that the intermediate node is not lying. In addition, the constraints are
used to detect packet drop and spoofing. The finite state machine is depicted in Figure 3.4.
Stamouli [10] has not used network monitor to trace RREQ and RREP message in a request
reply flow for distributed network. Whereas in the proposed FSM, we used the above flows
Figure 3.3.
50
RREP Broadcast by
intermediate node and no
anomaly detected
Otherwise
go
to
RREP
forwarding if it is an RREQ
Source
RREQ from source
RREQ
forwarding
SNHC forged
Spoofing
RERR
RERR from intermediate
If SN/ HC is not consistent
node
RREP
forwarding
Otherwise
Out of Range
Suspicious
If no forwarding is heard from neighboring
NM
Dropped/ Lost
Alarm
Detected
Forwarded RREQ
Message
Detected New
RREQ
Retrieve Session
No
HC = 0
Tree
Session
Tree
Found
Yes
No
RREQID <
Saved ID
Yes
Yes
No
Anomaly
Detected
No
Dest IP =
Saved Dest
IP
No
Yes
Yes
1. Update Node Info
2. Create Session Tree
Sqn = Saved
Sqn
No
Yes
HC = Saved
HC
Yes
No
Anomaly
Detected
IP-MAC
A
Monitored
Node
No
Yes
Send an Inquiry Message
Get Session Tree Using
Dest_IP in RREP
Tree
Found
No
Yes
Anomaly
Detected
Replying
Node is in
the Tree
No
Yes
No
Next Hop
IP is in
the Tree
Yes
Yes
Analyze Destination
RREP
Initiator IP
= Dest IP
No
53
We simulated to evaluate IDS performance in both static and mobile conditions. The nodes
chosen as NM were static in both the cases because it is assumed that NM does not leave
the assigned monitor. New RREQ for which the source node is not registered at the
neighboring NM, forwarded RREP unicast by intermediate node and no anomaly is
detected .The IDS traced the different RREQ and RREP flows initiated by the nodes. The
IDS resulted in delaying the route discovery due to including monitoring messages as well
as the processing overhead in the monitoring nodes.
3.4.4
Algorithms
For the intrusion detection to identify the sequence number attack, we analyzed two
algorithms.
3.4.4.1
Notations
The following notations have been used for the description of the algorithms.
For a set of paths denoted by P, where, path P is an ordered set of nodes,
The length of P is defined in terms of number of hops and denoted by |P|
For 0 i |P|, P[i] is the ith node in the path.
3.4.4.2
Assumptions
54
1. Pi, Pj P, Pi Pj
e.g. if P1 = {A, B, C} and P2 = {A, B, C, D}, remove P1
2. Pi, Pj P, Pi[|Pi| - 1] Pj, |Pj|
e.g. if P1 = {A, B, C} and P2 = {A, B, D, E}, remove C from P1
3. Pi P, |Pi| > 1
3.4.4.3
p P, check p[|p|]
If an ACK is not received from p[i+1] but received from p[i], 0 i < |p|, select p[i]
3.4.4.4
55
Search next shortest path, pa, to p[i+1] without going through p[i]
If p[i+1] is responsive, check p[i] over pa p[i+1] p[i]. If p[i] is responsive, p[i]
is Bad. Otherwise p[i+1] p[i] is broken
3.4.5 Simulation
The experiments were simulated using NS-2. The following section details the simulation
environment, metrics and the results.
Packet Traffic: 10 Constant Bit Rate (CBR) Traffic connections were generated
simultaneously. Four nodes were the sources for two streams each, and two nodes
were the sources for a single stream each. Destination nodes only receive one CBR
stream each.
Mobility: Random waypoint model was chosen with maximum seed set to 20
meters per second. Pause time was set to 15 seconds.
56
Radio: We used the no fading radio model with the radio range set to 250 meters.
Clear Delay: Set to 100 seconds, this is an event expiration timer. This is the
amount of time for which a node would consider an event before arriving at a
conclusion.
3.4.7
Metrics
For the performance measure of IDAODV, we consider the following metrics: False
Positives, Detection Rate and Packet Delivery Ratio in both static and mobile conditions.
All results are averaged over a number of simulation runs.
3.4.8
As mentioned earlier, our work is a modification of that done by Stamouli et. al. [10]. Each
graph in the results plots its metric as a percentage of packet delivery and number of
connections.
57
3.4.8.1
The four metrics that were used in the evaluation of the Sequence Number Attack
Detection and countermeasure mechanism are the delivery ratio, the number of false
routing packets sent by the attacker, false positive and detection rate.
58
Figure 3.8:
3.8: Delivery Ratio Vs Speed of Nodes
In figures 3.7 and 3.8, delivery ratio is plotted as the node mobility or density increases.
The normalized overhead of AODV is 2-4 times more when the network is loaded. In the
graphs, the overhead of AODV is considered with a fully loaded network. As can be seen
from the graph, with IDAODV running, delivery ratio is increased by as much as 72%.
The second metric that was used in the evaluation of this attack was the number of false
packets sent by the attacking node versus the number of active connections and the node
mobility. This metric was used to examine the overhead of the sequence number attack and
we considered only the extra cost on communication imposed by the attack. We observed
60
that the average number of RREP sent by the malicious node in all the experiments was
1856 and the number of nodes that inserted the false route into their routing table was 20
out of 30.
In figure 3.9, false positives are nodes incorrectly labeled as malicious. As expected, the
performance of Active response protocol improved with respect to false positives as the
density of the malicious nodes increased.
Figure 3.10 shows the detection rate. In the best case, 93% of the attacks can be detected,
whereas, the worst case detection rate is 80%. There are several reasons why a bad node
may go undetected. First, the bad node may not be in any path in the routing cache each
time when the monitors begin to check. Since the paths are based solely on the paths
maintained by the routing cache, if a node is not contained in any path, its forwarding
function will not be monitored. Second, there may be two consecutive bad nodes in a path
bad behavior of one node is hidden by the other bad node.
61
62
63
Figure 3.11 shows that IDAODV system improves the delivery ratio by 51% compared to
plain AODV. Figure 3.12 shows that the routing overhead introduced by the attack reduces
by 52%. IDAODV reduces the routing overhead ratio to approximately the levels that
normal AODV demonstrates.
In Figure 3.13 we see that the performance of active response protocol improves with
respect to false positives as the density of malicious nodes increases.
Figure 3.14 shows that in the best case, 93% of the bad nodes can be detected. The worstcase detection rate is 77%.
3.4.10
Response to Intrusions
Our intrusion detection protocol allows for either an active or passive response to
intrusions. With either response mode, the outcome is the isolation of the offending node
from the network. In the passive mode, a node makes a unilateral decision based on its own
observations of anomalous behavior. The more frequent and abnormal the behavior on the
part of the malicious node, the sooner the intrusive node will be isolated and denied access
on the underlying network infrastructure.
The active response mode offers a higher level of assurance than does the passive mode.
The increased assurance level is due to a majority voting scheme and consequently, the
flooding of the intrusive nodes identity throughout the network. The active mode,
however, is more complex to implement.
64
3.4.10.1
Passive Response
Once the threshold value which mitigates the effects of link error for message misrouting
or message modification has been exceeded, an alarm is raised. In the passive mode, the
node that raised the alarm removes the intrusive node from its neighbor table and does
participate in further route discoveries, Hello Messages or collaborative routing with the
intrusive node. Additionally, the intrusive nodes address is recorded in the BadNode
Table. As we show in a later section on details of experiments, the denser the network, the
more the number of nodes simultaneously declaring a node intrusive and preventing the
malicious node from utilizing the network resources. If the node in question continues to
act intrusively, each node in the network will eventually make a unilateral decision to
disassociate itself with the intruder.
3.4.10.2
Active Response
Tay et al. [30] propose the Cluster Based Routing Protocol (CBRP) where nodes form
clusters, each with an elected cluster head. The role of the cluster head is to optimize
the route discovery process.
3.5 Improvements
The simulations using NS-2 have shown that AODV versions that use link layer support
has the overall best results in almost all simulations. AODV has, as mentioned
earlier, the advantage that it learns more information for each request it sends out. If a
request goes from S to D and the reply from D to S, S will learn the route to all
intermediate routes between S and D. This means that it is not necessary to send out as
65
many requests as, for AODV. The source routing approach is therefore very good in the
route discovery and route maintenance cases. However, source routing is not desirable to
use for data packets. First of all, it adds a lot of overhead. Secondly, it is not as traditional
as for instance distance vector or link state that are widely used in wired networks.
Our proposal is therefore to implement a protocol that is a combination of source routing
and distance vector. Source routing should be used in route discovery and route
maintenance phases. These phases would also include that the routing tables are set
up dynamically during the propagation of the requests and replies. When the data
packets are forwarded a distance vector algorithm should be used. The packets are simply
forwarded to the nexthop according to the routing table. This, in combination with that the
protocol stores several routes for each destination, would probably mean a protocol with a
performance that is even better than the protocols that have been simulated in this thesis.
66
link changes faster, and reduce the packet drop caused by them. Network congestion is the
dominant reason for packet drop. The performance of the protocol can be further be
improved if congestion can be avoided.
67
cur = read_local_entry()->dst;
prev = read_route_entry(src).next_hop;
next = read_route_entry(dst).next_hop;
dseq = read_route_entry(dst).seq;
Add_Route(dst, prev, dseq+1);
Active_Reply(src, dst, dseq+1, cur, next);
}
If the attacker is close to a route from Source to Destination such that two consecutive
nodes in this route, prev and next, are in the attackers 1-hop neighborhood, the attacker
can first add a route to the Destination using prev as the next hop. It then generates an
Active_Reply to next, using a larger sequence number for Destination in the RREP
message. It will make next update its route to Destination via cur.
When prev receives a packet from Source, the packet is forwarded according to the
normal path and it will eventually reach next. However, next now thinks the best route
to Destination is through cur and cur forwards it back to prev. This effectively
creates a loop from Source to Destination and all packets will be dropped in the route
when their TTL values drop to zero.
69
A similar attack can be implemented when the attacker is not close to the targeted route.
The attacker can first find a victim node V that is close to the route. Instead of calling
Add_Route locally on V (which will require an additional compromise on V), the attacker
can use either False_Request or Active_Reply to force V to update its route to
Destination via Vs corresponding prev.
to send a large number of RREQs packets per second. The proposed scheme shifts the
responsibility of monitoring this parameter to the nodes neighbor, ensuring compliance of
this restriction. This technique solves all of the problems caused due to unnecessary
RREQs from a compromised node. Instead of self control, the control exercised by a
nodes neighbor results in preventing this attack.
RREQ_GOODLIST_LIMIT and RREQ_BADLIST_LIMIT
The proposal is based on the application of two parameters: RREQ_GOODLIST_LIMIT
and RREQ_BADLIST_LIMIT.
RREQ_GOODLIST_LIMIT denotes the number of RREQs that can be accepted and
processed per unit of time by a node. The purpose of this parameter is to specify a value
that ensures uniform usage of a nodes resources by its neighbors. RREQs exceeding this
limit are dropped, but their time stamps are recorded. This information aids in monitoring
the neighbors activities. In the simulations carried out, the value of this parameter was
kept at three (3 RREQs can be accepted per unit of time). This value, however, can be
adaptive, depending upon node metrics such as memory, processing power and battery.
The RREQ_BADLIST_LIMIT parameter is used to specify a value that aids in determining
whether a node is acting malicious or not. To do so, the number of RREQs originated or
forwarded by a neighboring node per unit time is tracked. If this count exceeds the value of
RREQ_BADLIST_LIMIT, one can safely assume that the corresponding neighboring node
is trying to flood the network with fake RREQs. A neighboring node identified as
malicious can be badlisted, preventing further flooding of fake RREQs into the network.
71
The badlisted node is ignored for a period of time given by BADLIST_TIMEOUT, after
which it is unblocked. The proposed scheme has the ability to block a node for
BADLIST_TIMEOUT period on an incremental basis. The BADLIST_TIMEOUT period is
doubled each time the node repeats its malicious behavior.
In our simulations, the value of RREQ_BADLIST_LIMIT is kept as 10 (i.e. more than 10
RREQs per unit time results in flooding activity). By badlisting a malicious node, all
neighbors of the malicious node restrict the flood of RREQs. In addition, the malicious
node is isolated by this distributed defense and cannot hog its neighbors resources. The
neighboring nodes are therefore free to entertain the RREQs from genuine nodes. Nodes
that are confident about the malicious nature of a particular node can avoid using it for
subsequent network functions. In this way, genuine nodes are saved from experiencing this
attack.
Advantages of the Proposed Scheme
1. The proposed scheme incurs no extra overhead, as it makes minimal modifications
to the existing data structures and functions related to bad listing a node in the
existing version of pure AODV.
2. The proposed scheme is more efficient in terms of the resultant routes established,
resource reservations and computational complexity.
3. If multiple malicious nodes collaborate, they in turn will be restricted and isolated
by their neighbors, because they monitor and exercise control over forwarding
RREQs by nodes. Hence, the scheme successfully prevents distributed attacks.
72
73
4.3 Simulation
This experiment result was carried out using NS-2 [31]. We used the simulation
environment detailed in [18] as a starting point. The following subsection provides details
of the simulation environment, metrics and experimental results.
74
Intruder
Bogus Traffic
A
D
T
Intruder
C
E
Node
F
G
K
N
MAC Layer: 802.11, peer-to-peer mode was chosen as the MAC layer protocol.
Radio: The No fading model was used, with the radio range set to 250 meters.
Mobility: Random waypoint model was used with maximum speed set to 20 meters
per second. Pause time was set to 15 seconds.
were the source for single stream. Each destination node receives only one CBR
stream.
Dropped Packet Timeout: Timeout period for dropped packets was set to 10
seconds.
Clear Delay: This is an event expiration timer, set to 100 seconds. This is the
amount of time for which a node considers an event before arriving at a conclusion.
The metrics such as delivery ratio, false positive, detected bad nodes are the important
determinants of network performance, which have been used to compare the performance
of the proposed scheme in the network with the performance of the original protocol i.e.
AODV. The study shows that the proposed scheme enhances the security of the routing
protocol without causing substantial degradation in the network performance.
76
77
78
The average results from Figures 4.2 and 4.3 show that the attack decreases while the
delivery ratio improves by 80%.
Figure 4.4 shows that the performance of Active Response protocols improves with respect
to false positives as the density of the malicious nodes increases.
Detection rate is shown in Figure 4.5. In the best case, 93% of the bad nodes can be
detected; the worst case detection rate is 78%. In the previous chapter, we discussed why a
bad node may go undetected.
We have produced percentage of detection of attack using RIDAN system [10] for both
static and dynamic node case, which was not present in the original work. We have given a
relative performance of IDAODV and RIDAN system below.
We show the results for systems with no of Nodes 30 in Figure 4.6. We see that the
performance of IDAODV is better than the RIDAN system [10]. IDAODV also detects
multimode intrusion detection for a static condition.
80
81
Number of Nodes
Static
20
40
60
80
RIDAN(Stamouli)
52
80
94
98.5
IDAODV
54
84
96
99.3
RIDAN(Stamouli)
52
80.5
94
99
IDAODV
57.5
85.1
95
99.8
Node case
Dynamic
Node case
The above table gives a comparison of percentage of detection between RIDAN system and
proposed method. For all values of number of nodes, the detection rate of proposed method
is higher than RIDAN system. Where as the complexity of IDAODV is almost same as
RIDAN system.
loss of performance (in the form of ratio) is least for distributed operation and highest for
the centralized one. IDAODV also discussed the robustness of the above methods.
83
84
the most pervasive network-based IDSs are signature-based and are only able to detect
known attacks.
We presented new techniques that advance the field of intrusion detection in several areas.
We have designed novel mechanisms to detect and mitigate aberrant behaviors encountered
in Mobile Ad Hoc Networks (MANETs). Since MANETs are comprised of resourceconstrained devices, we designed our intrusion detection mechanisms as protocols that
monitor network state rather than system state. We also experimented with reactive
protocols for MANETs, extending prior research to work with all mobile Ad Hoc routing
protocols, not just AODV.
We use a randomly selected set of 5 nodes out of 30 nodes and experimented with [10] and
consider a sequence of five consecutive packets as constituting the attack signature. We
found the accuracy of detection both in static and dynamic condition. It is not clear in
RIDAN system, how an attack that requires more than one-hop information gets detected
but in IDAODV, multihop information is considered which overcomes the limitation of
RIDAN system. We have produced percentage of detection of attack using RIDAN system
[10] for both static and dynamic node case, which was not present in the original work. We
have also given a relative performance of IDAODV and RIDAN system.
Our experiments and simulations have demonstrated that our protocol is functionally
feasible given limited resources.
85
5.2 Conclusions
An Intrusion Detection System aiming at securing the AODV protocol has been developed
using specification-based technique. It is based on a previous work done by Stamouli et al
[10]. The IDS performance in detecting misuse of the AODV protocol has been discussed.
In all the cases, the attack was detected as a violation to one of the AODV protocol
specifications. From the results obtained, it can be concluded that our IDS can effectively
detect Sequence Number Attack, Packet Dropping Attack and Resource Depletion Attack
with Incremental Deployment. The method has been shown to have low overheads and
high detection rate.
Our Intrusion Detection and Response Protocol for MANETs have been demonstrated to
perform better than the ones proposed by Stamouli et al in terms of false positives and
percentage of packets delivered. Since Stamouli et al do not report true positive i.e. the
detection rate, we could not compare our results against that parameter with their method.
The implementation of the IDAODV protocol has shown its feasibility to work in real life
scenarios; IDAODV performs real-time detection of attacks in MANETs running AODV
routing protocol. The prototype has also given some insight into the problems that arise
when trying to run real applications on an Ad Hoc network.
Simulation results validate the ability of our protocol to successfully detect both local and
distributed attacks against the AODV routing protocol, with a low number of false
positives. The algorithm also imposes a very small overhead on the nodes, which is an
important factor for the resource-constrained nodes.
86
The work can be extended to study the robustness of Wireless Ad Hoc Networks for
all types of protocols.
A study can be conducted on the relationship between the average detection delay
and the mobility of the nodes.
More types of attacks including group attacks can be studied and their relations to
the vulnerability of the protocols can be ascertained.
A complete approach can be developed that considers more parameters such as the
available queue length and the delay on a path during the route determination.
A fast response mechanism (local repair) can be developed for proactive protocols
to reduce packet drop due to route changes.
87
Bibliography
[1] ZHOU, L., AND HAAS, Z. J. Securing Ad Hoc Networks. IEEE Network 13, 6
(1999), 2430.
[2]
www.itrainonline.org/.../04_en_mmtk_wireless_basic-infrastructure-
topology_slides.pdf.
[3] NICHOLS, R. K., AND LEKKAS, P. C. Wireless Security Models, Threats, and
Solutions. McGrawHill, 2002. ISBN: 0-07-138038-8.
[4] HU, Y.-C., PERRIG, A., AND JOHNSON, D. B. Ariadne: A Secure On
Demand Routing Protocol for Ad Hoc Networks. In Eigth ACM International
Conference on Mobile Computing and Networking (Mobicom 2002) (Sept. 2002).
[5] STAJANO, F., AND ANDERSON, R. The Resurrecting Duckling: Security
Issues for Ad-hoc Wireless Networks. In Security Protocols, 7th International
Workshop Proceedings (1999), B. Christianson, B. Crisp, and M. Roe, Eds.,
Springer-Verlag Berlin Heidelberg. Lecture Notes in Computer Science.
[6] C. Siva Ram Murthy, B.S. Manoj, "Ad Hoc Wireless Networks : Architectures
and Protocols", Prentice Hall PTR, May 2004, New Jersey, USA
[7] http://compnetworking.about.com/cs/wireless80211/a/aa80211standard.htm
[8] http://users.tkk.fi/~msarela/texts/cs/military/node11.html
88
[9]
http://library.uws.edu.au/adt-NUWS/uploads/approved/adt
NUWS20060125.131604/public/12Chapter11.pdf
[10] I. STAMOULI. Real-time intrusion detection for ad hoc networks. Master's
thesis, University of Dublin, September, 2003.
[11] http://www.gcn.com/online/vol1_no1/23053-1.html
[12] PERKINS, C. E., AND BHAGWAT, P. DSDV Routing over a Multihop
Wireless Network of Mobile Computers. In Perkins [20], 2001, ch. 3, pp. 5374.
[13] JOHNSON, D. B., MALTZ, D. A., AND BROCH, J. DSR The Dynamic
Source Routing Protocol for Multihop Wireless Ad Hoc Networks. In Perkins [20],
2001, ch. 5, pp. 139172.
[14] TORA (Temporally-Ordered Routing Algorithm routing protocol) - V. PARK,
S. CORSON TEMPORALLY-ORDERED ROUTING ALGORITHM (TORA)
VERSION 1 Internet Draft, draft-ietf-manet-tora-spec- 03.txt, work in progress,
June 2001. A Link Reversal Routing (LRR) algorithm.
[15] CHARLES E. PERKINS, Ad Hoc On Demand Distance Vector (AODV)
Routing. Internet draft, draft-ietf- manet-aodv-01.txt, August 1998. Work in
progress.
[16] D. E. DENNING, An Intrusion Detection Model, IEEE Transactions in
Software Engineering, vol. 13, no2, February 1987.
89
JOSEPH MACKER,
Mobile
Ad
Hoc
Programs
in
Distributed
Systems:
Specification-based
92
Appendix A Terminology
This appendix contains some terminology that is related to ad-hoc networks.
A.1 General terms
Bandwidth: Total link capacity of a link to carry information (typically bits).
Channel: The physical medium is divided into logical channel, allowing possibly shared
uses of the medium. Channels may be made available by subdividing the medium into
distinct time slots, distinct spectral bands, or decorrelated coding sequences.
Convergence: The process of approaching a state of equilibrium in which all nodes in the
network agree on a consistent state about the topology of the network.
Flooding: The process of delivering data or control messages to every node within the any
data network.
Host: Any node that is not a router.
Interface: A node attachment to a link.
Link: A communication facility or medium over which nodes can communicate at the link
layer.
93
Loop free: A path taken by a packet never transits the same intermediate node twice before
arrival at the destination.
MAC-layer address: An address (sometimes called the link address) associated with the
link interface of a node on a physical link.
Next hop: A neighbor, which has been designated to forward packets along the way to a
particular destination.
Neighbor: A node that within transmitter range from another node on the same channel.
Node: A device that implements IP.
Node ID: Unique identifier that identifies a particular node.
Router: A node that forwards IP packets not explicitly addressed to itself. In case of adhoc networks, all nodes are at least unicast routers.
Routing table: The table where the routing protocols keep routing information for various
destinations. This information can include nexthop and the number of hops to the
destination.
Scalability: A protocol is scalable if it is applicable to large as well as small populations.
Source route: A route from the source to the destination made available by the source.
Throughput: The amount of data from a source to a destination processed by the protocol
for which throughput is to be measured for instance, IP, TCP, or the MAC protocol.
94
Proactive: Calculates route only upon receiving a specific request. See also proactive
RREQ: Routing Request. A message used by AODV for the purpose of discovering new
routes to a destination node.
RREP: Route Reply. A message used by AODV to reply to route requests.
Symmetric: Transmission between two hosts works equally well in both directions. See
also asymmetric.
TORA: Temporally Ordered Routing Algorithm. Routing protocol for wireless ad-hoc
networks.
Unidirectional: see asymmetric.
96
98
B.2 Design
AODV
The TCL scripts that starts the AODV routing agent and creates all mobile nodes that are
using AODV as routing protocol.
AODV_Agent
Implements all AODV specific parts. Handles RREQ, RREP, Hello and Triggered RREP.
It also has a send buffer that buffer packet while a route is searched for. The timer that
handles timeouts on route entries and the send buffer are also implemented here.
Hdr_AODV
Defines the message format for all messages that AODV uses.
Request Buffer
Implements the request buffer that prevents a node to process the same RREQ multiple
times.
AODV_RTable
The routing table that AODV uses. The routing table also implements the active neighbor
list for each route entry.
AODV Constants
99
All AODV constants are defined here, which makes it easy to modify for instance he hello
interval.
B.3 Important routines
B.3.1 Sending RREQ
RREQ will only be sent by the source nodes (no intermediate node sends RREQs), if there
does not exist any route for the destination.
IF (no route exists)
check-request buffer for requests already sent for destination
IF (no request sent already)
create a RREQ packet
add (dest addr, broadcast ID) to request buffer
locally broadcast RREQ
set timer for RREP_WAIT_TIME before rebroadcasting RREQ
increment broadcast ID
ELSE
buffer packet from stream or discard, according to need
ENDIF
100
ENDIF
B.3.2 Receiving RREQ
When a node receives a RREQ, it must first of all decide if it already has processed the
RREQ. The RREQ is discarded if it has been processed. Otherwise the source address and
the broadcast ID from RREQ will be buffered to prevent it from being processed again.
IF ((source addr, broadcast ID) in request buffer)
discard request already heard and processed
ELSE
add (source addr, broadcast ID) to request buffer
ENDIF
The next step is to create or update the route entry in the routing table. This route can be
used by the RREP when a route is found.
IF (no route to source)
create a route entry for source addr
ELSE IF (source seqno in RREQ > source seqno in route entry)
update route entry for source addr
ELSE IF ((source seqno in RREQ = source seqno in route entry) AND (hop count in RREQ
< hop count in route entry))
101
102
1.
2.
3.
4.
5.
103
Each node periodically broadcasts a hello message to all neighbors. When a node receives a
hello message it knows that the sending node is a neighbor and will update the routing
table.
IF (route entry for HELLO source exists)
update route entry
IF (destination seqno in HELLO > destination seqno in route entry)
update destination seqno in route entry
ELSE
create route entry for HELLO source
ENDIF
ENDIF
B.3.7 Forwarding packets
AODV uses an active neighbor list to keep track of which neighbors that are using a
particular route. These lists are used when sending triggered route replies. The neighbor
lists are updated every time a packet is forwarded.
IF (route entry to destination exists)
IF (neighbor who forwarded packet to you != active neighbor for route)
add neighbor to active neighbor list for route entry
105
ENDIF
ENDIF
B.3.8 Sending Triggered RREP
Link breakages are detected by either the link layer which notifies the routing agent or by
using hello messages. If a node has not received hello messages from a node for a certain
amount of time it will assume that the link is down. Every time a link detected as down,
AODV will send a Triggered RREP to inform the affected sources.
FOR (each address in the active neighbor list for a route entry)
create a link failure notice packet
unicast to active neighbor
ENDFOR
B.3.9 Receiving Triggered RREP
Every time a triggered RREP is received informing about a broken link, the affected route
entry must be deleted and neighbors using this entry must be informed.
IF (have active neighbors for broken route) send Triggered RREP
ENDIF delete route entry for broken route.
106
{
station_state.last_sn = current_frame.sn;
return;
}
if (gap == 0 || gap >= 0xffd)
{
if (current_frame.an exist in our buffer)
{
If (the content of current_frame is the same as buffered frame)
if yes, normal, return;
if no, seq_no, raise alarm, return;
}
else
{
If (station_state.last_frame_type is beacon or probe respose &&
current_frame.type is data)
107
if yes, valid management frame goes out of order before data frames,
return;
if no, seq_no, raise alarm, return;
}
}
if (gap >= 3 && gap < 0xffd)
{
station_state.current_sn = current_frame.sn;
send ARP probing;
station_state.in_verfication = TRUE;
return;
}
}
verify_possible_seq_no(station_state, next_frame)
{
gap_of_next_frame = 0xfff & (next_frame.sn station_state.last_sn);
gap_of_current_frame = 0xfff & (station_state.current_sn station_state.last_sn);
if (gap_of_next_frame >= gap_of_current_frame)
{
if (gap_of_next_frame == gap_of_current_frame) && content of
current_frame and next_frame is different)
{
seq_no, raise alarm; goto exit;
}
//next frame is bigger than current one, normal
if (verification timer expires)
{
108
goto exit;
}
}
else
{
seq_no, raise alarm; goto exit;
}
exit;
station_state.last_an = next_frame.sn;
station_state.in_verification = FALSE;
}
When a frame is received, if its source station is not in the verification state, there are three
cases for the value of inter frame sequence number gap. If gap E [4093, 4095] or gap = 0,
the current frame is treated as a retransmitted frame. If gap E [1, 2], the current frame is a
normal frame. If gap E [3, 4092], whether the current frame is spoofed depends on the
result of verification. When an STA is in the verification state, there are two cases for next
SN: either between last SN and current SN or out of this range.
109
110