This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts

for publication in the WCNC 2007 proceedings.

A Flow Based Detection Mechanism against Flooding

Attacks in Mobile Ad Hoc Networks
Yinghua Guo1, Steven Gordon2, Sylvie Perreau1
1
Institute for Telecommunications Research, University of South Australia
Mawson Lakes, SA 5095, Australia
Yinghua.Guo@postgrads.unisa.edu.au, sylvie.perreau@unisa.edu.au
2
Sirindhorn International Institute of Technology, Thammasat University
Pathumthani 12121, Thailand
steve@siit.tu.ac.th

Abstract—Mobile ad hoc network (MANET) is particularly
vulnerable to flooding attacks. To evade being identified,
attackers usually recruit multiple accomplices to dilute attack
traffic density of each attack source, and use the address spoofing
technique to challenge attack tracing. In this paper, we present a
detailed investigation of the flooding attack in MANET. Further,
we design two flow based detection features, and apply the
cumulative sum algorithm on them to effectively and accurately
detect such attack.
The rest of the paper is organized as follows: Section II
firstly explains why MANET is vulnerable to flooding attacks.
After that, it reviews related works for defending MANET
against flooding attacks. Section III presents a detailed
investigation of flooding attack. In section IV, we propose a
flow based detection mechanism to detect such attack. Section
V presents simulation results and discussion. This paper is
finally concluded by section VI.

Keywords-DoS attack, intrusion detection, ad hoc network II. BACKGROUND AND RELATED WORK

I. INTRODUCTION A. MANET Security Vulnerabilities

Mobile Ad hoc Network (MANET) comprises autonomous
mobile nodes that dynamically and arbitrarily form multi-hop
communication facilities to make up for the absence of fixed
infrastructure. Securing communication in MANET is a
challenging issue. Firstly, traditional security mechanisms used
in infrastructure networks may be inapplicable to MANET [1]
due to its unique characteristics: unreliability of wireless links,
dynamically changing topology, the absence of a certification
authority, and the lack of a centralized monitoring or
management point. Secondly, for the same reason, MANET
suffers from a wide range of threats and attacks: impersonation
attack, blackhole attack, Denial of Service (DoS) attack, selfish
misbehaving, etc. [1]. Among these security threats, MANET
are particularly susceptible to DoS attacks due to the facts that
resources on mobile nodes are limited and broadcast
mechanism is resource consuming.
In this work, we investigate one type of DoS attacks, the
flooding attack, in MANET and present a detailed model to
characterize it. In this attack which exploits the broadcast
transmission mechanism, attackers behave like normal nodes in
all aspects except sending out excessive amount of malicious
packets to deplete the network bandwidth, and in turn, prevent
the network from providing services to legitimate users. As the
first contribution of this work, we believe that, to our best
knowledge, this is the first effort of systemically modeling such
an attack in the context of MANET. More importantly, the
second contribution we make is designing two novel flow
based detection features, and employing the Cumulative SUM
(CUSUM) [10] algorithm to identify the flooding attack.
The broadcast transmission is used by most MANET
routing protocols [2]. For example, in DSR routing protocol,
when a source node attempts to send packets to some
destination, if it does not know a route to that destination, it
uses route discovery to dynamically discover one. Route
discovery works by flooding route request (RREQ) packets
through the network seeking a route to some target destination.
Such packets will be rebroadcast by intermediate nodes until
they reach the destination or some intermediate node that has a
route to the destination. The broadcast mechanism in routing
procedure is a potential security flaw because frequent flooding
by many packets throughout the network will easily consume
considerable network bandwidth [3].
The resources in MANET are constrained. In order to be
light and portable, mobile wireless devices in MANET can not
have many resources, e.g. CPU, memory, battery. In addition,
the wireless channel is a shared medium. It is easy for
malicious users to occupy the channel chronically by sending
out useless packets. Other features of MANET facilitating the
flooding attack may include: assumed trust relationship among
network nodes, no centralized administration entity. Exploiting
these vulnerabilities, adversaries can launch flooding attacks.
B. Related Work
To defend ad hoc networks against flooding attacks, a few
of preventive and detective security mechanisms have been
proposed in the context of sensor network and MANET. Ref.
[4, 5, 6] are first attempts of preventing adversaries from
injecting bogus messages into the sensor networks. Based on
symmetric cryptography, they address the problem of single
compromised sensor node broadcasting false reports. The basic

1525-3511/07/$25.00 ©2007 IEEE 3107

 This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the WCNC 2007 proceedings.
idea behind them is that when an event occurs, multiple
surrounding sensors collectively generate a legitimate report
that carries multiple Message Authentication Codes (MACs).
As the sensing report is forwarded towards the sink, each
forwarding node verifies the correctness of the MACs carried
in the report with certain probability. Once an incorrect MAC
is detected, the report is dropped.
The work of detecting malicious node flooding packets in
MANET proposed in [7, 8] are similarly built on the base of
counting node’s rate of sending route request (RREQ) packets.
Once a node’s RREQ rate exceeds a given threshold, its
packets will be dropped in [7], and in addition the node’s
priority of sending packets is decreased [8].
Although each of above approaches can handle one specific
type of flooding attacks (e.g. [7, 8] only detect single source
flooding attack), their limitation can be found as follows.
• The assumption made in [4, 5, 6] i.e. if one event is
detected, it is detected by multiple sensor nodes, will
not hold in MANET we are considering. In MANET,
because of node mobility, it is possible that one event
happens in some particular place where there is only
one node. In this case, the sensing report only carries
the detecting node’s MAC. If this node is a malicious
node and trying to inject bogus reports in the network,
no nodes can tell if the event really happens by only
verifying the report’s MAC. Even if this assumption
holds in some particular MANET scenarios, these
techniques [4, 5, 6] still can not detect multiple
malicious nodes collusively forging reports with their
own MACs.
• Ref. [7, 8] can not detect the flooding attack performed
by multiple colluding malicious nodes. This is because,
by employing multiple accomplices, the attack traffic
rate of each attack node can be normally low, but the
aggregated attack traffic is high enough to paralyse the
network. The normally low traffic rate can easily
defeat rate counting based detection schemes [7, 8].
• Because [7, 8] are based on counting each node’s
packet rate, they will be useless when attackers spoof
source addresses of attack packets with random ones.
III. FLOODING ATTACKS IN MANET
A. Overview of Flooding Attacks
The flooding attack is one form of DoS attacks [9]. Instead
of attacking any particular node, it aims to paralyze the whole
network by exhausting network bandwidth. For example, if the
broadcast mechanism in MANET routing procedure is
exploited, malicious nodes might behave like normal nodes in
all aspects except in routing. They would not comply with
broadcast management techniques adopted in current routing
protocols such as limiting the maximum number of RREQ
packets sent per second, and RREQ back-off. Instead, they
initiate massive bogus RREQ packets (e.g. their destinations
don’t exist in MANET) that will be re-broadcast by
intermediate nodes. In the end, the aggregated RREQs will
form large enough attack traffic to overwhelm the network.
B. Flooding Attack Model
In order to avoid detection and tracing, attackers usually
use the following techniques to diversify the external patterns
of attack traffic.
• Recruiting accomplices. If the huge amount of
attacking traffic is generated by a single node, it will be
easily detected by its abnormally high packet rate. As
more and more accomplices are involved, the packet
rate of each accomplice can be normally low; however
the aggregated attack traffic is still huge enough to
overwhelm the network.
• Address spoofing. To avoid detection and tracing,
attackers alternatively can exploit the address spoofing
technique that enable attackers to generate attack
packets with randomly spoofed source addresses. The
address spoofing renders those detection schemes that
are based on counting node’s packet rate inapplicable,
and more importantly, makes it very hard to trace
attack nodes [3].
In this work, we mainly focus on flooding attack variations
caused by the above two camouflage methods. Accordingly,
we model the flooding attack as (n , r , f , T a ) where n is the
number of attack nodes, r is each attack node’s rate at which
bogus RREQs are generated, f is the frequency of address
spoofing, i.e. the rate at which malicious nodes change source
and/or destination addresses of RREQs they send out, and Ta is
the attack duration time. By delicately selecting these
parameters, attackers try to make the difference between
attack traffic and normal network traffic so slim that they can
evade being detected or tracked.
In particular, it is interesting to investigate how f changes
the attack pattern. Basically, f is the number of attack packets
that use same spoofed address. For example, f = 1 means that
each attacker selects a spoofed address (probably a random
one) for each packet it sends out. When f reaches or is greater
than Ta × r , the attack becomes the non-address-spoofing
flooding attack where all attack packets sent out by each
attacker have a fixed source address. In the rest of this paper,
we refer to the address spoofing flooding attack ( f = 1) as ASF
attack, and non-address-spoofing flooding attack
( f ≥ Ta × r ) as NASF attack.
IV. FLOW BASED DETECTION MECHANISM
In this section, we design two flow based features to
characterize one aspect of the flooding attack, respectively. We
further propose a detection mechanism, in which the non-
parameter CUSUM algorithm [10] is applied on these detection
features, to identify such attack.
A. Detection Features Selection
Before presenting detection features, we introduce some
concepts used in our mechanism. A RREQ flow is defined as a
set of RREQ packets that have same source and destination
addresses, i.e. (SA, DA). In addition, we define that a RREQ
3108
 This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the WCNC 2007 proceedings.
flow is new to a node if the interval between two successive
moments of receiving this RREQ flow is greater than a given
threshold w ( w = one third simulation time).
1) Detection feature against address spoofing
In ASF attack, each RREQ packet sent out by each attack
node is allocated a random (SA, DA). Hence, when ASF
attack occurs, a large number of RREQ flows will emerge in
the network, and the majority of them are new to mobile nodes
because these flows identified by (SA, DA) are random and
only appear once. On the other hand, this situation won’t be
experienced in normal network scenarios. This is because,
during normal communication in which one connection will
usually hold for a certain period of time, even RREQ packets
are sent out to seek routes because of route breakage, the (SA,
DA) of such RREQ packets will not change. In other words,
this RREQ flow will remain unchanged. In turn, it is very
likely for a node to observe this RREQ flow multiple times,
and at each receiving time this RREQ flow is not new to this
node if we set w sufficiently long.
Based on above consideration, we define the first
detection feature (DF-1), the percentage of new RREQ flows,
to identify the occurrence of ASF attack. To obtain DF-1, each
node in the network maintains a counter for each RREQ flow
it receives. At the end of sample interval ∆ t i , the node
computes the total number of RREQ flows it receives (TFi ) ,
and judges each RREQ flow’s status: new or not new,
according to the definition of new RREQ flow. In the end, the
node finds out the number of new RREQ flows ( NFi ) , and
calculates the percentage of new RREQ flow Pi = NFi TFi .
By continually monitor the RREQ flows over time, each node
can obtain a sequence of random variables {Pn }.
Once {Pn } is obtained, the work of detecting the ASF attack
can be transformed to distinguish different changing trends
of {Pn } : {Pn } will have a significant increase when the ASF
attack occurs and then remain at a high level as long as attack
lasts. On the other hand, {Pn } remains at a low level stably in
normal network situation. Although some increase of {Pn } may
appear, the increases are intermittent and non-continuous.
2) Detection feature against nonaddress spoofing
In the NASF attack, each attacker uses fixed (SA, DA) for
all RREQ packets it sends out. Therefore, when the attack
takes place, network nodes will receive many identical RREQ
flows in a certain number of successive sampling intervals.
Moreover, this phenomenon will remain as long as the attack
lasts. However, this situation will not take place in normal
network scenarios. This is because: the occurrence of
communication requests and route breakage is random.
Accordingly, sending out RREQ packets is random. From the
probability point of view, it is very unlikely that many nodes
experience same circumstance in which sending RREQ
packets are needed for multiple successive sampling intervals.
In other words, sets of RREQ flows observed in multiple
successive sampling intervals, say L intervals, will have few
common elements (identical RREQ flows). Moreover, the
greater L is, the fewer common elements are.
Hence, we design the second detection feature (DF-2) to
identify the NASF attack. To obtain DF-2, each node in the
network records RREQ flows it receives. At the end of sample
interval ∆ t i , it obtains a set of RREQ flows RFi containing all
RREQ flows it receives in this sampling
interval, RFi = {Fi ,1 , Fi , 2 ,......Fi , j } where Fi , j represents RREQ
flow j received by this node in ∆ t i . Let S i (RFi ) be the number
of elements of RFi . Then, each node can
calculate R S i , L (RF i −1+ L ... ∩ RF i −1 ∩ RF i ) which means: at
=
S i (RF i )
i,L
the current sampling interval ∆ t i , the node finds out there are
R i , L × S i (RF i ) common RREQ flows received in L successive
sampling intervals. By monitoring R i , L over time, each node
can obtain a sequence of random variables {Rn, L } as DF-2.
The various trends of {Rn, L } in normal and NASF attack
scenarios can be described as follows: {Rn, L } will have a
remarkable rise when the attack takes place, and remain at a
high level as long as the attack lasts. On the other hand, it will
stay at a low level in the normal network scenarios. Even
some special network scenarios can cause an increase of
{Rn, L } the increase trend is bursty and intermittent. Similar
to {Pn }, the detection of NASF attack can be transformed to
identify such changing trends of {Rn, L }.
After designing two individual detection features, we now
build the complete detection system by employing DF-1, DF-2
and the rate counting based detection feature proposed in [7, 8]
(referred as DF-3). This allows us to detect attacks with many
variations caused by adjusting attack model parameters n ,
r and f . For example, as shown in section V, by using DF-1
in conjunction with DF-2, we can identify flooding attack
variations caused by f , i.e. from ASF to NASF attacks and the
intermediate cases (1 ≤ f ≤ Ta × r ) . Additionally, by knowing
that the more attack nodes participate in the attack, the more
likely they are detected by DF-2, attackers in NASF attack
might reduce the number of attack nodes n to defeat DF-2.
However, due to the fact that achieving a certain degree of
damage on the victim network needs a certain amount of attack
traffic in terms of n× r [3], reducing n will result in a
significant increase of r . These abnormally high values of r
can be easily detected by DF-3. As a result, as long as attackers
want to cause a certain degree of damage, they will be
inevitably identified by the combination of DF-2 and DF-3 no
matter how they adjust n and r , i.e. abnormally high r by
reducing n can be detected by DF-3, and a large n with low
r can be identified by DF-2.
In summary, the detection features we have proposed are:
• DF-1: the percentage of new RREQ flows;
• DF-2: the ratio of identical RREQ flows;
3109
 This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the WCNC 2007 proceedings.
• DF-3: RREQ flow rate.
B. Nonparameter CUSUM Algorithm
As pointed out before, the detection of flooding attack can
be transformed to differentiating various changes on detection
features. Since the observation values of {Pn } and {Rn, L } are
random variables, the detection of their changes can be
modeled as the sequential change point detection [11]. Its
objective is to determine if the observed variable series is
statistically homogeneous, and if not, to find the point in time
when the change happens.
The CUSUM algorithm is a widely used algorithm in this
area. The basic idea behind the CUSUM is that: if any change
occurs on the observed statistical process, the probability
distribution of such process will change correspondingly. The
CUSUM monitors the mean variations of time series. It
accumulates those random variable’ values that are
significantly higher than the mean level under normal
operation. Once these accumulated values exceed a given
threshold, a change (or attack) is said to be detected. We adopt
the nonparametric CUSUM method [10] to distinguish
different change trends of detection features caused by flood
attack and normal network situation.
We consider values of detection feature as a random
sequence, denoted as {X n }whose mean α is much less than 1 in
the normal operation. When changes (attacks) take place,
{X n }will jump from α to α + h where h is the lower bound of
the increase during a change. We transform {X n } to {Z n }by (1)
Zn = X n − β
where β = α + a and a is the mean of {Z n } . a is negative
during normal conditions, and becomes positive when a change
occurs. Then we obtain {y n } using (2)
y n = ( yn−1 + Z n ) , y0 = 0
+
where x + is equal to x if x > 0 , and 0 otherwise. {y n }
represents the accumulated positive values of {Z n } . A large
value of {y n } strongly indicates an attack. The decision
function can be described as follows:
d N (yn ) = { 0
1
yn < N
yn ≥ N
N is the threshold for attack detection and d N ( y n ) represents
the decision at time n : ‘1’ if y n is greater than N , which
indicates an attack, and ‘0’ otherwise. N is calculated by (4)
N = (τ − m ) × h 2
where m is the moment when changes take place and τ is the
expected moment when changes are detected. Hence, (τ − m )
is the expected minimum detection time.
As shown above, there are some parameters involved in
this algorithm. Their specification is important to the
algorithm’s performance. Firstly, the selection of α values in
the detection procedure can be performed as follows:
according to the network scenario (specified by network size,
mobility, traffic load), α is given an initial value when the
detection begins. This initial value can be obtained by either
off-line training or simulation. Once detection starts, α is
updated periodically to represent the most accurate estimation
of {X n }. Then, we can estimate a conservative value of h by
1 − α because the mean of {X n } will have a significant
increase, approximately to 1, when the flooding attack takes
place. Based on h and α , other parameters can be updated
h
accordingly as follows [10]: a = ,β =α + a .
2
V. RESULTS AND DISCUSSION
To quantitatively evaluate the performance of our detection
mechanism, we conduct the following simulation experiments
in which a MANET consisting of 100 nodes in a 1200 x1200
terrain is built using Glomosim simulator. The mobility model
uses the random waypoint model (pause time 10s), and the
normal network background traffic is generated by using CBR
traffic pattern in which 50 CBR connections send 512-byte
data packets at a rate of 2 packets/s. We implement various
flooding attack scenarios by adjusting n , r and f . Then, we
merge the attack traffic with the normal network traffic.
Fig.1 and Fig.2 conceptually and intuitively illustrate how
(1) {Pn }(the percentage of new RREQ flows) and {Rn, L }(the ratio
of common RREQ flows) behave in normal network and
flooding attack scenarios, and the detection effect of using
CUSUM algorithm on them. The results are collected from
node 23 that is randomly selected. In this simulation, the
normal network scenario is built by using 2m/s mobility model
and 300kbps traffic load. Ten attack nodes generate the attack
(2)
traffic by sending out RREQ packets at the rate of 1p/s. The
attack starts at 900s and ends at 960s ( Ta =60s). We can see
that, during the first 8-10 minutes of simulation,
{Pn } experience several abnormally high values. This is
because when the network starts to run, each network node
knows nothing about the network. Every RREQ flow it
(3)
receives is new. As network nodes learn more, {Pn }goes down
and remains stable. We call this period of time as warmup
time, and ignore their values because these values have less
realistic merits. In the real world, skipping the warmup period
can be implemented by letting the network run for similar
period of time in an isolated environment. The results validate
our prediction of detection features’ behavior: they are low and
remain stable in normal scenario, although intermittent and
(4) sporadic bursts can be occasionally found. However, the
flooding attack makes {Pn }and {Rn, L }have significant increases
and remain at a high level value. By using CUSUM algorithm,
intermittent bursts of {X n }are eliminated (i.e. {y n }is 0 in most
3110
 This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the WCNC 2007 proceedings.

of time in normal network operation), and successive high

values are accumulated by {y n }that penetrates the threshold N .

1 .2

1 X n
Y n
0 .8
T h re s h o ld N
DF-1

0 .6

0 .4

0 .2

0
1 3 5 7 9 11 1 3 1 5 1 7 19 21 2 3 2 5 2 7 29 31 3 3 3 5 3 7 39

T im e (3 0 s )

Figure 1. Node 23 observation of DF-1

0 .9
Xn
0 .8
Yn
0 .7
T h r e s h o ld N
0 .6
DF-2

0 .5

0 .4

0 .3

0 .2

0 .1

0
1 5 9 13 17 21 25 29 33 37 41 45 49 53 57 61 65 69 73 77 81 85 89 93 97 101 105 109 113 117
T im e ( 1 0 s )

Figure 2. Node 23 observation of DF-2

We use three metrics: Detection Rate---DR (%), Detection samples, the normal network fluctuation can result in abnormal
Time---DT (second) and False Positive Rate---FPR (false on DF-2, and hence lead to false positive detection. Even so,
positive detections per hour) to evaluate our detection this FPR is acceptable because users could spend a couple of
mechanism. The false positive detection refers to the situation hours each day to validate these suspicious detections [13].
where one activity is not intrusive but is reported as intrusive
because it is anomalous. DR is the percentage of nodes in the TABLE I. DETECTION PERFORMANCE OF DF-1 (ASF ATTACK)
network that detect the attack.
Mobility (max velocity)
First of all, we validate the performance of individual (DR/DT/FPR)
2m/s 10m/s 20m/s
detection feature DF-1, DF-2 against ASF and NASF attack in 300 100/ 38.4/ 0.06 100/ 50.4/ 0.02 100/ 42.6/ 0
Traffic
terms of DR, DT, FPR, respectively. We vary normal network load 400 100/ 40.2/ 0.07 100/ 31.2/ 0.03 100/ 36.9/ 0
scenario by adjusting maximum velocities of nodes and traffic (kbps) 500 100/ 32.1/ 0.16 100/ 32.1/ 0.02 100/ 30.9/ 0
load. In addition, we load the ASF and NASF attack on the
network. The results are recorded in Table I and Table II in the TABLE II. DETECTION PERFORMANCE OF DF-2 (NASF ATTACK)
form of DR/DT/FPR. We can see that our detection features
have a good performance: 100% DR in all cases (meaning all (DR/DT/FPR)
Mobility (max velocity)
100 nodes detect the attack), DT ranging from 30s to 60s that is 2m/s 10m/s 20m/s
an acceptable level in the real world [12]. In particular, DF-1 Traffic 300 100/ 44.9/ 0.63 100/ 43.5/ 2.98 100/ 49.5/ 0.8
only causes 4 false positive detections in one day at most. DF-2 load 400 100/ 43.6/ 0.89 100/ 49.9/ 0.55 100/ 46.9/ 0.9
has a relatively worse FPR of 72. We believe the reason is that (kbps) 500 100/ 50.5/ 0.06 100/ 48.2/ 0.03 100/ 46/ 0.23
the sampling interval length used in DF-2 is 10 seconds which
is shorter than ∆ t (30s) in DF-1. The shorter ∆ t is, the fewer
samples each node can obtain. Due to the lack of sufficient

3111
 This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the WCNC 2007 proceedings.
Secondly, we investigate the performance of combining
DF-1 and DF-2 as a whole system. The normal background
network traffic is 300 kbps CBR traffic. The maxima velocity
of mobility model is 10m/s. We vary f (from 1 to 60) to make
the ASF attack become NASF attack gradually. By restricting
FPR and DT within a reasonable range [12, 13],
i.e. FPR ≤ 0.41 / hour , DT ≤ 60 s , we examine the combination
of DF-1 and DF-2 in terms of DR. As an important parameter
affecting the detection performance, ∆ t is examined by
different values. As shown by Fig.3, DF-1 and DF-2 work in a
supplemental way: not only doing its own job (i.e. DF-1 detects
ASF attack and DF-2 detects NASF attack) but also making up
for each other’s weakness. For example, in the best case
where ∆ t is 30s in DF-1 and 10s in DF-2, no matter how
attackers vary f , the combination of DF-1 and DF-2 can detect
two third of all flooding attacks with 100% detection rate. Even
if we assume attackers will know of the detection scheme and
try their best to beat it (e.g. select appropriate values of f
from 30 to 50), we still have more than 0.8 probability (i.e.
more than 80 nodes in the network) to identify the attack.
Moreover, we also notice that the selection of ∆ t has much
more impact on DF-2 than DF-1. The greater ∆ t is, the poorer
DF-2 works. The reason is: usually the duration time of DoS
attack is short (60s in this work), the greater ∆ t is, the fewer
samples collected in the attack duration are. In the worst case
where ∆ t is 20s, network nodes can not obtain sufficient
samples ( L = 3 in this work) before the attack ends.
Figure 3. Performance of combination DF-1 and DF-2
In this work, we take the DSR routing protocol as a case
study to illustrate how the flooding attack is performed and
detected. In fact, the flooding attack is also applicable in many
other broadcast based protocols. For example, in DSDV
protocol, periodical broadcasting of routing table update
packets is required in the routing procedure. To achieve the
DoS purpose, attackers may broadcast massive forged update
packets. Because of the possibility that some nodes can not
validate these broadcast packets, these nodes may re-broadcast
these packets. In the end, the aggregated forged update packets
can exhaust network bandwidth. On the other hand, no matter
what protocols are involved, as long as broadcasting is used,
the attack traffic triggers at least one of our detection features,
and therefore can be detected.
VI. CONCLUSION
In this work, we investigate and characterize the flooding
attack in MANET. Further, we propose two detection features,
on which the non-parametric CUSUM algorithm is applied, to
detect such attack. We have shown that, in various scenarios
(different network traffic load, and mobility), our detection
mechanism can detect all NASF and ASF attacks (DR 100%),
quickly (30s-60s) with an acceptable false alarm rate
(FPR<=72). Also, no matter how attackers change the
appearance of attacks (e.g. by adjusting attack parameters), we
can detect the majority, i.e. 80% detection rate in the worst
case.
Key issues we will address in future work include:
investigate how CUSUM parameters, such as ∆ t , N , h , affect
the detection performance, how to choose their optimal value;
design and analysis of appropriate response mechanisms.
Finally, we will investigate the applicability of flooding attacks
and their detection mechanism to other protocols.
REFERENCES
[1] A. Mishra, K. M. Nadkarni, “Security in wireless Ad Hoc Networks”,
The Handbook of Ad Hoc Wireless Networks, CRC Press, NY, 2003.
[2] E.M. Royer and C-K Toh. “A Review of current routing protocols for
ad-hoc mobile wireless networks,” IEEE Personal Communications,
Vol. 6, pp.46-55, Apr. 1999.
[3] Y. Guo, S. Gordon, “Defending multi-hop ad hoc networks against
distributed flooding attacks that use address apoofing,” Proc. ACoRN
WMN Workshop, Sydney, Australia, July, 2006.
[4] F. Ye, H. Luo, S. Lu, and L. Zhang, “Statistical en-route filtering of
injected false data in sensor networks,” Proc. INFOCOM, pp.2446-2457,
Hong Kong, March, 2004.
[5] S. Zhu, S. Setia, S. Jajodia, “An interleaved hop-by-hop authentication
scheme for filtering false data in sensor networks,” Proc. IEEE
Symposium on Security and Privacy, pp.259-271, USA, March, 2004.
[6] W. Zhang and G. Cao, “Group rekeying for filtering false data in sensor
networks: a predistribution and local collaboration-based approach,”
Proc. INFOCOM, pp.503-514, Miami, USA, March 2005.
[7] S. Desilva and R. V. Boppana, “Mitigating malicious control packet
floods in ad hoc networks”, Proc.WCNC, pp.2112-2117,LA,USA, 2005.
[8] P. Yi et al., “Resisting flooding attacks in ad hoc networks”, Proc.
Information Technology: Coding and Computing, vol. 2, pp. 657 – 66,
Las Vegas, USA, 2005.
[9] J. Mirkovic et al., “A Taxonomy of DDoS attacks and DDoS defence
mechanisms”, University of California, Technical report #020018.
[10] T. Peng, C. Leckie, R. Kotagiri, “Proactively detecting distributed denial
of service attacks using source IP address monitoring”, Proc. IFIP-TC6,
pp. 771-782 Athens, Greece, May, 2004.
[11] M. Basseville and I.V. Nikiforov. Detection of abrupt changes: theory
and application. Prentice Hall, 1993.
[12] B. Yocom, K. Brown, D. V. DerVeer, “Review: intrusion-detection
products grow up,” Network World, 10/08/2001.
[13] R. P. Lippmann, et.al “Intrusion detection systems: The 1998 DARPA
off-line intrusion detection evaluation”, Proc. 2000 DARPA Information
Survivability Conference and Exposition, Los Alamitos, USA, 2000.
3112