A computer network, often simply referred to as a network, is a collection of computers and devices connected by communication communication channels that facilitates facilitates communication among users and allow users to share resources and information with other users (like sharing of printer, files etc.). Networks may be classified according to wide variety of characteristics. The most common common way is according to physical media (hardware), (hardware), that is used to interconnect interconnect the individual devices in the network. Based upon this classificati classification, on, the different different types of network available are wired network and wireless network.
1.1. .1.1
Wired Net Network workss
ired networks are connected by the means of physical wires. The connection is usually established with the help of physical devices like !witches and "ubs in between to increase the strength of the connection. These networks are usually more efficient and much faster than wireless networks. #nce the connection is set there is a very little chance of getting disconne disc onnected cted.. $sually $sually,, repeate repeaters rs are used used in between between to increase increase the communi communicati cation on distance. Advantages of wired networks are% •
A wired network offer connection speeds of &''bps to &'''bps
•
hysical, fi*ed wired connections are not prone to interference and fluctuations in available bandwidth, which can affect some wireless networking connections.
+isadvantages of wired networks over wireless networks are% •
*pensive *pensi ve to maintain maintain the network due to many cables between computer systems systems and even if a failure in the cables occur then it will be very hard to replace that particular cable as it involved more and more costs.
•
hen using a laptop which is re-uired to be connected to the network, a wired network will limit the logical reason of purchasing a laptop in the first place
1. 1.1. 1.2 2
Wire ireless less Netw Networ orks ks
ireless network refers to any type of computer network that is wireless. n the wireless &
network, electromagneti electromagneticc waves are used to connect two devices in the network instead of some physical media. The absence of physical wires makes this kind of network very fle*ible. t also reduces the installation and maintenance cost of the network. . Advantages Advantages of ireless Networks are% •
obile users are provided with access to real/time information even when they are
•
away from their home or office. !etting up a wireless system is easy and fast and it eliminates the need for pulling out the cables through walls and ceilings.
•
•
Network can be e*tended to places which cannot be wire wired. d. ireless networks offer more fle*ibility and adapt easily to changes in the configuration of the network.
+isadvantages of ireless Networks are following% •
•
nterference due to weather, other radio fre-uency devices, or obstructions like walls. The total Throughput is affected when multiple connections e*ists.
1. 2 Tpes Tpes o! Wireless Networks
#ne of the uni-ue features of wireless networks is compare to wire network is that data is transmitted from one point to another through wireless links i.e. there is no need of wired link link between between the two nodes for transmission. They 0ust need to be in the transmis tran smission sion range range of each other. other. ir ireles elesss communic communicatio ation n between between mobile mobile users users is becoming popular than ever ev er before. before . This is due to recent technological advances in mobile comput com puters ers and wi wire rele less ss data data commu communi nicat cation ion device devices, s, such such as wirel wireless ess modem modemss and wireless 1ANs leading to higher data rates. Adaptation of these advancements by the society has lead to lower prices. These are the two main reasons why mobile computing continues to en0oy rapid growth. +evices commonly used for wireless networking include portable computers, desktop computers, hand/held computers, personal +igital Assistants (+As), cellular phones, pen based computers and pagers. ireless technologies serve many practical purposes. 2or e*ample, mobile users can use their cellular phone to access e/mail.. Travelers e/mail Travelers with portable computers can connect to the nternet through base stations installed at airports, railway stations and other public locations. ireless networks have few few prob proble lem ms th that at must must be de deal altt wi with th.. !inc !incee wire wirele less ss ne netw twor orks ks op oper erat atee on ra radi dio o fre-uenc freuencies, ies, they have to contend contend with with effects effects of radio radio communi communicati cation on such as noise, noise, 3
fading and interference. ireless networks can be classified in two types% •
nfra structured networks
•
nfra structure less networks (Ad hoc networks)
1. 1.2. 2.1 1 I"!r# stru$tured Networks
nfrastructure network have fi*ed network topology. ireless nodes connect through the fi*ed point known as base station or access point. n most cases the access point or base station or connected to the main network through wired link. The base station, or access point, is one of the important important elements in such such types of networks. All of the wireless connections must pass from the base station. henever a node is in the range of several base stations then it connect to any one of them on the bases of some criteria.
1.2.2 Ad %o$ Networks & I"!r#stru$ture less "etworks ' Ad hoc networks also called infrastructure less networks are comple* distributed
systems consist of wireless links between the nodes and each node also works as a router to forwards the data on behalf of other nodes. The nodes are free to 0oin or left the network without any restriction. Thus the networks have no permanent infrastructure. n ad hoc networks the nodes can be stationary or mobile. Therefore one can say that ad hoc networks basically have two forms, one is static ad hoc networks (!ANT) and the other one is called mobile ad hoc networks networks (ANT). (ANT). 2rom the the introduction introduction of new technologies such as 4'3.&& the commercial implementation implementation of ad hoc network becomes possible. #ne of the good features of such networks is the fle*ibility and can be deployed very easily. Thus it is suitable for the emergency situation. But on the other side it is also very difficult to handle the operation of ad hoc networks. ach node is responsible to handle its operation independently. Topology changes are very fre-uent and thus there will be need of an efficient routing protocol.
1.( )o*ile Ad+Ho$ Networks &)ANET'
A mobi mobile le ad ho hocc ne netw twor ork k is a co coll llec ecti tion on of mob obil ilee ho host stss that that ro roam amss at will will and and communi com municate catess with with each each other. other. These mobile mobile networks networks are differen differentt from traditi traditional onal 5
wireless networks, as the former don6t have a fi*ed topology, no base/station support, and no fi*ed routers. ANT has ulti/hop commutation capability. There is no centrali7ed administration or a backbone network to support it. n these types of networks each node workss as an independ work independent ent router router.. ach ach host uses wireless wireless 82 transcei transceivers vers as network network inter int erfac facee 95 95': ': *am *ample ple appli applicat cation ionss of AN ANT T ar aree emer emerge gency ncy search search/an /and/r d/resc escue ue operations; meetings or conventions where users need to deploy networks immediately, without wit hout base stations stations or fi*ed fi*ed network network infrastr infrastruct ucture. ure. 2igure 2igure &.& shows simple simple ad hoc network of three mobile hosts using wireless network interfaces. The outermost nodes are not within transmitter range of each other. "owever the middle node can be used to forward packets between the outermost nodes. The middle node is acting as a router and the three nodes are formed an ad/hoc network
ireless ad/hoc networks take advantage of the nature of the wireless communication medium.. n other words, in a wired network the physical cabling is done a prior restricting medium restricting the connection topology of the nodes. This restriction restriction is not present in the wireless domain and, provided that two nodes are within transmitter range or each other, an instantaneous link between them may form. <arious features of mobile ad/hoc network are%
•
,el!+or-#"ii"-% very time a mobile host moves, it needs to re/discover re/discover which mobile
hosts are reachable. t does this by sending a =ping= message in all directions and listens for corresponding =pong= messages. The strength of the =ping= message weakens as distance increases giving the mobile host a limited range within which =ping= messages can be =heard=. This range is called the scan range of the mobile host. •
/ull de$e"tr#li de$e"tr#lied: ed: No central server e*ists in a ANT environment. Therefore
every mobile host is e-ually important within the network. very node acts both as a >
host and as a router. A node can be viewed as an abstract entity consisting of a router and set of affiliated mobile hosts (2igure &.3)
Hi-%l Hi%l d"#mi$ d"#mi$:: The topology topology of ANT ANT systems systems can change change very rapidly. rapidly.
Therefore within ANT systems, one will find that communication endpoints fre-uently move independently of one another. •
ow $ost% ireless ad hoc networks are built from low/cost transceivers and do not
incur charges for provider6s access and airtime. •
imited p%si$#l se$urit% The broadcast nature of wireless networks lends itself
to passive passive eavesdro eavesdroppi pping ng att attacks acks without without malicio malicious us nodes nodes being being detected detected.. By e*ploit e*pl oiting ing the specifi specificc aspect aspectss of wirele wireless ss routing routing protocol protocolss being being used, used, more more damaging attacks are possible. •
ro#d$#st N#ture o! medium % $nlike traditional networks, the mobile devices
must rely on the broadcast nature of the wireless medium. ssues like hidden terminal problem makes routing more comple*. •
/re3ue"t "etwork p#rtitio"s% There are potentially fre-uent network partitions.
This might imply that simply no path e*ists from a mobile node to another as the intermediate routing stations have moved too far apart.
?
1.4 Routi" Routi"-
8outing is the act of moving information from a source to a destination in an inter/network. +uring this process, at least one intermediate node within the inter/network is encountered. This concept is not new to computer science, now it has achieved popularity. The ma0or reason rea son fo forr this this is becaus becausee the earli earlier er netwo networks rks were were very very simpl simplee and homoge homogeneo neous us environments; but, now high end and large scale internetworking environments; internetworking has become popular with the latest advancements in the networks and telecommunication technology. The routing concept basically involves, two activities% activities% firstly firstly,, determining optimal routing paths and secondly, transferring the information groups (called packets) through an inter/ network. The The later concept is called as packet switching which is straight forward, and the path determination could co uld be very comple*. 8outing protocols use several metrics to calculate the best path for routing the packets to its destination. These metrics are a standard measurement that could be number of hops, which is used by the routing algorithm to determine the optimal path for the packet to its destination. The process of path determination is that, routing algorithms initiali7e and maintain routing tables, which contain the total route information for the packet. This route information varies from one routing algorithm to another. 8outing tables are filled with a variety of information which is generated by the routing algorithms. ost common entries in the routing table are address prefi* and the ne*t hop. 8outing 8outing table@ table@ss +estina +estination tionne ne*t *t hop associat associations ions tell tell the router router that that a particu particular lar destination can be reached optimally by sending the packet to a router representing the ne*t hopC on its way to the final destination and address prefi* specifies a set of destinations for which the routing entry is valid for. !witchi !wi tching ng is relativ relatively ely simple simple compare compared d with with the path determi determinat nation. ion. The concept of switching is like, a host determines like it should send some packet to another host. By some means it ac-uires the routers address and sends the packet addressed specifically to the routers AD address, with the protocol address of the destination host. The router then e*amines the protocol address and verifies whether it know how to transfer the data to its destination. f it knows how to transfer the data then it forwards the packet to its destination and if it doesn@t then it drops the packet.
E
1.5 ,e$urit ,e$urit Issue Issuess
As ANTs become widely used, the security issue has become one of the primary concerns. 2or e*ample, most of the routing protocols proposed for ANTs assume that every node in the network is cooperative and not malicious 9&&:. Therefore, only one compromised node can cause the failure of the entire network . The success of ANT strongly depends on whether its security can be trusted. "owever, the characteristics of ANT pose both challenges and opportunities in achieving the security goals, such as confidentiality, authentication, integrity, availability, access control, and non/repudiation . There are a wide variety of attacks that target the weakness of ANT. 2or e*ample, routing messages are an essential component of mobile network communications, as each packet needs to be passed -uickly through intermediate nodes, which the packet must traverse from a source to the destination. alicious routing attacks can target the routing disco discove very ry or maint maintena enance nce phase phase by not follow followin ing g the speci specifi ficat cation ionss of the the routi routing ng protocols. Attackers also e*ploit weaknesses into protocols working at various layers for e*ample, Blackhole attack e*ploit weaknesses into route discovery process of A#+<. The mobile hosts forming a ANT are normally mobile devices with limited physical protection and resources. reso urces. !ecurity !ecur ity modules, such as tokens and an d smart cards, can be used to protect against physical attacks. Dryptographic tools are widely used to provide powerful security services, such as confidentiality, authentication, integrity, and non/repudiation. $nfortunately, cryptography cannot guarantee availability; for e*ample, it cannot prevent radio radi o 0ammin 0amming. g. eanwhi eanwhile, le, strong strong cryptog cryptography raphy often often demands demands a heavy heavy computa computation tion overhead and re-uires the au*iliary complicated key distribution and trust management services, which mostly are restricted by the capabilities of physical devices (e.g. D$ or battery). The characteristics and nature of ANT re-uire the strict cooperation of participating mobile hosts. A number of security techni-ues have been invented and a list of security protocols have been proposed to enforce cooperation and prevent misbehaviour. "owever, none of preventive approach is perfect or capable to defend against all attacks. A second line li ne of defenc defencee calle called d intrus intrusion ion dete detecti ction on syste systems ms (+!) (+!) is propos proposed ed and appli applied ed in ANT. +! are some of the latest security tools in the battle against attacks. ntrusion detection detection can be defined as a process of monitoring monitoring activities in a system, which can be a computer or network system. The mechanism by which this is achieved, is called F
an intrusion detection system (+!). An +! collects activity information and then analy7es it to determine whether there are any activities activities that violate the security rules. #nce an +! determines that an unusual activity or an activity that is known to be an attack occurs, it then generates an alarm to alert the security administrator. n addition, +! can also initiate a proper response to the malicious activity.
1.6 O*7e$ O*7e$ti8 ti8ee
The ob0ective of this work is to investigate on proposed fu77y based intrusion detection system against blackhole attack on A#+< A#+< in ANTs ANTs b ased by
reali7ing
on
their
performance performance
different environments. The analysis is done theoretically and through
simulations. #b0ectives of this work are summari7ed as G
To get general understanding of ad/hoc networks and A#+< protocol
G
To get general understanding of blackhole attack.
G
ropose fu77y based intrusion detection system against blackhole attack.
G
!imulate the +! in well known simulator ns-2.
1.9 T%esis T%esis Outli" Outli"ee C%#pter 1 gives brief idea of background, ob0ective of this work. C%#pter 2 1iterature 8eviewC discusses the basic details of ANT, basics of A#+<,
various active routing attacks in ANT are discussed and in the end, basics of various intrusion detection systems against blackhole attack has been discussed. C%#pte C%# pterr ( for formul mulat ates es th thee probl problem em by discu discussi ssing ng the issues issues in curren currentt +!s +!s of
A#+<. C%#pter C%#p ter 4 proposes f u 7 7 y b a s e d i n t r u s i o n d e t e c t i o n s y s t e m a g a i n s t b l a c k h o l e
attack in A#+< . C%#pter 5 !imulation +etailsC discuss the brief review ns/3 H simulation environment
used. C%#pter 6 8esults and AnalysisC presents the various results generated from the
simulations . These results are shown in graphical form so that the fair comparison can be done between the proposed system and e*isting system 4
At the end a brief summary of the work is presented with conclusion H directions for the future work. Appendi* provides provides general understanding routing parameters parameters H tracing formats of wireless network in ns/3.
I
CHAPTER 2 : ITERATURE REIEW A ANT is referred to as a network without infrastructure because the mobile nodes in the network dynamically set up temporary paths among among themselves to transmit packets. n a ANT, a collection of mobile hosts with wireless network interfaces form a temporary network without the aid of any fi*ed fi*ed infrastructure or centrali7ed ad/ ministration. Nodes within each other@s wireless transmission ranges can communicate communicate directly; however, nodess outside each node each other@s other@s range have to rely on their neighboring nodes to relay messages 93I:. Thus, a multi/hop scenario occurs, where several intermediate hosts relay the packets sent by the source host before they reach the destination host. very node functionss as a router. function router. The The success of communication communication highly depends on other nodes@ cooperation. cooperat ion. At a given time, time, the system can be viewed viewed as a random graph graph due to the movement of the nodes, their transmitterreceiver coverage patterns, the transmission power levels, and the co/channel interference levels. The network topology may change with time as the nodes move or ad0ust their transmission and reception parameters. Thus, a ANT has several salient characteristics 95E:% •
+ynamic topology
•
8esource constraints
•
•
No infrastructure 1imited physical security
All these characterist characteristics ics of ANT make make it more vulnerab vulnerable le to the attacks. #ne of these attacks is the Black "ole attack. n the Black "ole attack, a malicious node absorbs all data packets in itself. itself. n this way way,, all packets packets in the the network are dropped. dropped. A malicious malicious node dropping all the traffic in the network makes use of the vulnerabilities of the route discovery packets packets of the on demand protocols, such as A#+< A#+<.. n route discovery process of A#+< #+< protoc protocol, ol, inter interme medi diate ate nodes nodes ar aree re respo sponsi nsibl blee to find find a fresh fresh path path to the destination, sending discovery packets to the neighbor nodes. alicious nodes do not use this this proces processs and in inste stead, ad, they they imme immedia diate tely ly re respo spond nd to the the source source node node wi with th fa false lse information as though it has fresh enough path to the destination. Therefore source node sends its data packets via the malicious node to the destination assuming it is a true path. Thus characteristics and nature of ANT re-uire the strict cooperation of participating &'
mobile nodes. There should be strong detection techni-ue that can work on real time variables to find out intrusions in the network. !ubse-uent actions can be taken based on the information collected by detection system. This chapter presents a brief overview of A#+<, a routing protocol used in ANT, various security issues in ANT and various intrusion detection systems reported in the literature literat ure of wireless wireless Adhoc networks. !ection 3.& discusses the basic operation operation of A#+<, A#+<, routing protocol used in ANT. !ection 3.3 provides the various security goals of ad hoc networks.. The various security networks security challenges challenges that ANT faces faces are described in section 3.5. !ection 3.> gives the detail about various routing attacks in A#+<. The various security schemes used in ANTs have been discussed in section 3.?.!ection 3.E describes the study of various intrusion detection systems used in ANTs
The Ad/hoc #n/+emand +istance <ector <ector (A#+<) 934: is designed specifically to address the routing problems in ad hoc wireless networks and provides communication between mobile nodes with minimal control overhead and minimal route ac-uisition ac -uisition latency 93&:. A#+< is a reactive protocol. t makes the route when it is needed and does not re-uire nodes to maintain the routes to various destinations that are not being used in communication. A#+< enables multi/ hop routing between participating mobile nodes wishing to establish and maintain an ad/ hoc network. A#+< is based upon the distance vector algorithm. As long as the endpoints of a communication connection have valid routes to each other A#+< does not play any role. t is loop free protocol. Additionally, it has support support for multicast multicast routing routing and avoids avoids the Bellman 2ord =counting to infinity= infinity= problem 95I:. t provides -uick convergence when the network topology changes. The use of destination se-uence numbers guarantees that a route is =fresh=. The algorithm uses different messages to discover and maintain links. henever a node wants to try and find a route to another node, it broadcasts a 8oute 8e-uest (88J) to all its neighbors. The 88J propagates through the network until it reaches the destination or a node with a fresh route to the destination. Then the route is made available by unicasting a 88 back to the source. A#+< enables mobile nodes to respond to link breakages and changes in the network topology in a timely manner 9&':. The algorithm uses uses hello messages (a special 88) &&
that are broadcasted broadcasted periodically periodically to the immediate immediate
neighbors. neighbors. These hello messages
are local advertisements advertisements for the continued continued presence presence of the node node and neighbors neighbors using routes through thr ough the broadcasting node will continue to mark the routes as valid. f hello messages stop coming from a particular node, the neighbor can assume that the node has moved away and mark that link to the node as broken and notify the affected set of nodes by sending a link failure notification (a special 88).A#+< also has a multicast route invalidation message n the following sections properties of A#+< are presented along with the operational details of its most fundamental functionalities, namely the route discovery and the route maintenance processes.
2.1.1 Properties
As it was mentioned earlier A#+< provides provides loop/freedom that is accomplished accomplished through the use of se-uence numbers. very node maintains its own se-uence number that it increases monotonically monotonically each time it learns of a change in the topology of its neighborhood. neighborh ood. This se-uence number ensures that the most recent route is selected whenever a route discovery process is e*ecuted. n addition, in multicast/enabled A#+< each multicast group has its own se-uence number, which is maintained by the multicast group leader 93&:. 2urthermore,
A#+<
is
able
to
provide
unicast,
multicast,
and
broadcast
communication ability. This capability of having all three communication forms in a single protocol offers numerous advantages. hen searching by using the multicast route discovery it increases increases the the unicast routing knowledge and vice versa. n mobile environments any reduction in control overheads has a significant advantage. Additionally, having all three communication forms in a single protocol simplifies the implementation process of the protocol. 8oute tables are used in A#+< to store applicable routing information. A#+< utili7es both a route table for unicast routes and a multicast route table for multicast routes. The unicast route table includes information about the destination, the ne*t/hop address and its se-uence number. 2or each destination a node maintains maintains a list of precursor nodes, which route through it in order to reach the destination destination 93&:. This list is maintained maintained for the purpose of route maintenance maintenance in case of a link breakage. breakage. Additionally Additionally,, a &3
lifetime is associated with each route table entry which is updated whenever the route is successfully used. hen an entry@s lifetime attribute e*pires because it was not fre-uently used it is removed from the routing table and if there is a need for this route again it is reac-uired though a route discovery process. A#+< is able to maintain both unicast and multicast routes even for nodes with mobility. Also it provides a -uick detection mechanism of invalid routes through the use of route errors (888) messages. messages. The protocol is able to respond to topological changes that affect the active routes in a -uick and timely manner. hen the nodes in the network move from their places and the topology is changed or the links in the active path are broken, the intermediate node that discovers this link breakage propagates an 888 packet. And the source node re/initiali7es the path discovery if it still desires the route. This ensures -uick response to broken links. 2inally, because it does not use source routing it does not introduce additional additional overhead since it re-uires only the ne*t/hop routing information.
2.1.2 Route Dis$o8er
hen a node desires to communicate with some destination node, it checks if the route to this destination is available and valid in its routing table. n the case that the route is available, it starts the communication right away, but if the route is either unavailable or it has e*pired a route discovery process has to be initiated. n order to initiate a route discovery process the source node has to send a 88J packet. The format of the route re-uest packet are illustrated in figure 3.&. After creating the 88J packet the node sets a timer and waits for a route reply (88) message 9&':.
/i-ure 2.1 : T%e !orm#t o! Route Re3uest P#$ket
&5
An intermediate node upon the reception of a 88J packet checks whether it has seen it before by e*amining the originator@s address and the 88J broadcast + pair. ach node maintains a list of the originator and 88J broadcast + pair for each route re-uest that it receives. This information remains in this list for a finite period of time and it is used to avoid flooding attacks or anomalous node behavior. f the intermediate node has already seen this 88J it silently discards the packet. f it has not seen this 88J within this finite period of time it starts processing it. The first step is to set up the reverse route in its routing table. The reverse route contains the originator address, the se-uence number, the hops re-uired to reach the source node and the neighbor from which it has received the packet. This process is essential since it is used to forward back the 88. 2igure 3.3 indicates the propagation process of a 88J along with the formation of the relevant reverse routes.
n order for an intermediate node to reply to a 88J it has to have an une*pired entry for the destination destination in its routing table. Additionally, Additionally, the se-uence number associated associated with that destination must be greater or e-ual to the one indicated in the 88J 88J packet. f the entry satisfies these two conditions then it unicasts a 88 back to the source of the 88J by incrementing the hop count by one. The structure of the 88 and the fields it contains are presented in figure 3.5 9&':. f none of the intermediate nodes is able to reply, the 88J eventually reaches the destination node. hen the destination node sends the &>
88 it places its current se-uence number in the packet, initiali7es the hop count to 7ero and places the length of time this route is valid in the 88@s Lifetime field 9&':.
/i-ure 2.(: /orm#t o! # Route Repl &RREP'
f this is the first time the source node communicates with this node the se-uence number will not be available and therefore it will not be included in the packet. hen an intermediate node receives the 88 it uses the reverse route established for the 88J to forward the packet to each destination, but before doing so it increments the hop count by one. 2igure 3.> indicates the path of a 88 from the destination to the source node.
/i-ure 2.4: Prop#-#tio" o! # RREP mess#-e mess#-e < !!rom rom desti"#tio" to sour$e "ode
&?
t is possible that the destination node will receive more than one 88 from its neighbors. n this case it uses the first 88 that it receives and upon the reception of another reply it checks if the later packet contains a greater destination se-uence number or if it has a smaller hop count, meaning that it provides a fresher or sorter route. n this case it updates the route entry with the new values; otherwise the reply packet is discarded. 2.1.( Route )#i"te"#"$e
#nce the route between the source and the destination nodes is established it is maintained for the source node as long as it remains active. f the source node moves during an active session, it can simply reinitiate a route discovery process proce ss and establish a new route rou te to the destination and continue communication. "owever, if either the destination or an intermediate node moves a 888 packet is sent to the source affected nodes. The 888 packet header fields are illustrated in figure 3.? 9&':. The 888 message is initiated by the node upstream of the link failure which is closer to the source. f the node upstream of the break has listed more that one nodes as a precursor node for the destination, it broadcasts the 88 to these neighbors.
hen the neighbor nodes receive the 888 packet they mark the route to the destination &E
as invalid by setting the distance to this destination node to infinity, and if they have any precursor list of their own they propagate this message forward to their precursor nodes. hen the 888 reaches the source node it can reinitiate a route discovery if the route is still needed.
/i-ure 2.6: Route m#i"te"#"$e
n figure 3.E the route maintenance procedure is illustrated. n figure 3.E(a) the route from source to destination contains the nodes &, 3, >, and ?. hen node > decides to move to position >K breaks the connectivity in node 3. Node 5 being the closest upstream neighbor to the link loss sends a 888 to node &. Node & upon reception of the 88 packet marks the route as invalid and then forwards the 888 to the source node that reinitiates reinitia tes a route route discovery discovery process process since it still still re-ui re-uires res communicati communication on
with the
destination node. The new route that was created is presented in figure 3.E(b) where node > was replaced by node 5. 888s are also sent when a node receives data packets for a destination that is not listed in its routing table 9&':. n this way the node without the route that is receiving the data packets can inform its upstream neighbor that it should stop sending them, thus they are not constantly discarded.
&F
2.2 ,e$urit =o#ls
An ad hoc network can be considered secure if it holds the following attributes 935:. •
A8#il#*ilit: t should sh ould ensure that the network network manages manages to provide provide all services services despite despite
denial of service attacks. A denial of service attack can be launched at any layer of an ad hoc network. #n the physical and media access control layer a malicious user can employ 0amming in order to interfere with signals in the physical layer. #n the network layer, a malicious user can disrupt the normal operation of the routing table in various ways. 1astly, on the higher layer, a malicious user can bring down high/level services such as the key management service. •
Co"!ide"ti#lit: t shoul should d ensure ensure
that that certai certain n informa information tion is never never disclose disclosed d
to
unauthori7ed user. This fea featu ture re is mostly desired when transmitting sensitive information such as military and tactical data. 8outing information must also be confidential in some cases when the user@s location must be kept secret. •
I"te-rit: Luarantees that the message that is transmitted reaches its destination
without being changed or corrupted in any way. essage corruption can be caused by either a malicious attack on the network or because of radio propagation failure. •
nable a node node to be sure sure of of tthe he iden identit tity y of the the n o d e s Aut%e"ti$#tio": t s h o u ld e nable with which it communicates. hen there is no authentication scheme a malicious node can behave as some other node and gain unauthori7ed access to resources or sensitive information.
•
No"+repudi#tio": t should ensure that the originator of a message cannot refuse
sending this message. This This attribute is useful when trying to detect isolated compromised nodes. •
A$$ess #"d us#-e $o"trol: Access control ensures that access to information is
controlled by the ad hoc network. $sage control ensures that the information resource is used correctly by the authori7ed node having the corresponding rights.
2. .( ,e$urit ,e$u rit C%#lle"-es C%#ll e"-es
The prominent features of ad hoc networks pose both challenges and opportunities in achieving the proposed security goals. The main security challenges that ad hoc networks &4
face have been discussed in this section 9&?:. #ne of the main challenges that ad hoc networking faces is related to the use of wireless links. +ue to the use of wireless medium an ad hoc network is vulnerable to link attacks ranking from passive
eavesdropping eavesdropping to active impersonation, message message replay and
message corruption. An adversary can easily eavesdrop network traffic by placing a wireless enabled device within the range of the ad hoc network and capture routing and application packets. By eavesdropping the malicious node can gain access to secret information and violate the confidentiality re-uirement. assive attacks like eavesdropping are very hard to detect since they do not present any significant pattern or impact in the performance of the network. Active attacks may allow a malicious node to delete or in0ect to the network traffic erroneous erroneous messages, modify messages and impersonate impersonate as another node, hence violating availability, integrity, authentication and non/repudiation. As opposed to passive attacks, attacks, active attacks can be detected and limited with the utili7ation of various schemes. oreover, nodes that roam in hostile environments with relatively poor physical protection face a greater probability of being compromised. Therefore, attacks against the ad hoc network can be launched from within the network by compromised or malicious nodes. n order to be able to claim high availability in such an environment, an ad hoc network should have a distributed protection architecture with no central entities. The introduction of any central entity into a security solution could lead to a significant vulnerability since the possibility of the centrali7ed component of the security scheme becoming compromised compro mised cannot be eliminated. elimina ted. +ue to the dynamic nature of an ad hoc network both its topology and membership can change arbitrarily. This fact prevents the establishment of long/lived trust relationships among the participating nodes. $nlike other wireless mobile networks, like mobile 95&:, 95&:, nodes in ad hoc networks may dynamically become affiliated with different administrative domains. Thus, any security solution with static configuration will not be sufficient. t is desirable for a security mechanism to adapt on the fly to these changes. 2inally, an ad hoc network is not limited to a specific number of participating nodes. ven though it has not been practically attempted, ad hoc networks theoretically can be composed of hundred or even thousands of nodes. Therefore Therefore a security mechanism in order to be able to sufficiently accomplish its tasks has to be scalable and able to handle &I
arbitrarily large networks. 2.4 A$ti8e Routi"- Att#$ks
$nlike the passive attacks, active attacks can be detected and eventually avoided by the legitimate nodes that participate in an ad hoc network. A malicious node may perform an active attack in order to disable a service or in order to conserve energy. An active attack may either being directed to disrupt the normal operation of a specific node or target the performance of the ad hoc network as a whole. n this section the most important active attacks are presented that can be easily be performed by an internal node against the utilised ad hoc routing protocol 95E:. •
l#$k Hole: n this attack, a malicious node uses the routing protocol to advertise itself
as having the shortest path to the destination node of the packet that was intercepted. This attack can be easily implemented in A#+< during the routing discovery process. $pon reception of a route re-uest the malicious node can guarantee that its reply willl be preferab wil preferable le from the source source node by either either increas increasing ing signific significantl antly y the destination se-uence number or by advertising a considerably shorter path. #nce the
forged route has been established the malicious node is able to become a member of the active route and intercept the communication packets. The outcomes of this attack can vary. The malicious node can either stop after inserting the false route information in the network and aim in creating cre ating instability and unnecessary network traffic or drop all incoming application packet for the specific destination and perform a denial/of/ service serv ice att attack. ack. This This att attack ack can also be used by the
malici malicious ous node as the
first step to a man/in/the/middle attack. •
Routi"- T#*le O8er!low% n a routing table overflow attack the attacker attempts to create routes to non/e*isting nodes. The goal is to create enough routes to prevent new
routes from being created or to overwhelm the protocol implementation. roactive routing protocols are more vulnerable to this attack, since they attempt to create and maintain routes to all possible destinations. A malicious node to implement this attack can simply send e*cessive route advertisements to the network. To implement this attack in order to target a reactive protocol like A#+< is slightly more complicated since two nodes are re-uired. The first node should make a legitimate re-uest for a route and the malicious node should reply with a forged address. •
Resour$ee Co"sumptio"% This attack aims in flooding the network with routing traffic Resour$
3'
in order to consume battery life from the nodes and available bandwidth from the ad hoc network. The malicious malicious node continually re-uests re-uests for either e*isting or non/ e*isting destinations destinations forcing the neighboring nodes to process and forward these packets and therefore consume batteries and network bandwidth hindering the normal operation of the network. •
Droppi"- Routi"- Tr#!!i$: t is essential essential in the ad hoc network that all nodes
participate in the routing process. "owever, a node may act selfishly and process only routing information that are related to itself in order to conserve energy. This behaviorattack can ca n create network instability in stability or even segment seg ment the network. •
o$#tio" dis$losure: A location disclosure attack can reveal information related to the
location of a node or the topology and structure of the network. The information gained might reveal which other nodes are ad0acent to the target or the physical location of a participating node. The attack can be implemented by using a command similar to trace route that e*ists in $ni*/like systems or with the use of the time-to-live attribute
of the routing packet and the addresses of the devices by sending D error messages. n the end, the attacker knows which nodes are situated on the route to the target node. f the locations of some of the intermediary nodes are known, one can gain information about the location of the destination node as well. There are several other similar active attacks presented in the literature 9&E: but they e*ploit more or less the same routing protocol vulnerabilities to achieve their goals.
2..5 ,e$uri ,e$ urit t ,$%em ,$% emes es
There are two main approaches in securing ad hoc environments currently utili7ed. The first is the intrusion detection approach that aims in enabling the participating nodes to detect and avoid malicious malicious behavior behavior in the network without changing the underlined underlined routing protocol or the underling infrastructure. Although the intrusion detection field and its applications are widely researched in infrastructure networks it is rather new and faces greater difficulties difficulties in the conte*t of ad hoc networks. networks. The second approach is secure routing that aims in designing and implementing implementing routing protocols protocols that have been designed from scratch to include security features. ainly the secure protocols that have been proposed are based on e*isting e*isting ad hoc routing protocols protocols like A#+< and +!8 but but redesigned redesigned to include security features. features. n the following following sections we briefly 3&
present the two approaches in reali7ing security schemes that can be employed in ad hoc networking environments.
2.5.1 I"trus I"t rusio io" " Dete$t Det e$tio" io"
ntrus nt rusion ion is define defined d as any any set of acti actions ons that that attem attempt pt to compro compromi mise se the integrity, confidentiality, or availability of a resourceC 955:. ntrusion protection techni-ues works as the first line of defense. "owever, intrusion protection alone is not sufficient since there is no perfect security in any system, especially in the field of ad hoc networking due to its fundamental vulnerabilities. Therefore, intrusion detection can work as the second line of protection to capture audit data and perform traffic analysis to detect whether the network or a specific node is under attack 933:. #nce an intrusion has been detected in an early stage, measures can be taken to minimi7e the damages or even gather evidence to inform other legitimate nodes for the intruder and maybe launch a countermeasures to minimi7e the effect of the active attacks. An intrusion detection system (+!) can be classified as network/based or host/ based according to the audit data that is used. Lenerally, a network/based +! runs on a gateway of a network and captures and e*amines the network traffic that flows through it. #bviously this approach is not suitable for ad hoc networks since there is no central point that allows monitoring of the whole network. A host/based +! relies on capturing local network traffic to the specific host. This data is analy7ed and processed locally to the host and is used either to secure the activities of this host, or to notify another participating node no de for the malicious action actio n of the node that performs pe rforms the attack. The intrusion detection techni-ues can be categori7ed into misuse detection and anomaly detection 933:. The misuse detection uses patterns of well/known attacks to match and identify known k nown intrusions. This techni-ue can accurately and effectively e ffectively detect instances of known attacks. "owever this techni-ue is unable to detect newly invented attacks. n ad hoc networking due to its dynamic nature it is difficult, but not impossible, to define traffic patterns that indicate an attack. The anomaly detection techni-ue observes activities and network traffic that significantly deviates from the established normal usage and identifies intrusions. Thus, after the normal behavior of the network traffic has been established this techni-ue does not re-uire any prior knowledge of the attack, and for that reason it can detect newly invented attacks. "owever, this 33
techni-ue produces a greater percentage of false alarms since the definition of normal routing operation is difficult to de defined, especially in an ad hoc network. There are some intrusion detection systems that have been proposed for ad hoc environments 9&F: and are presented in more detail in the following chapter.
2.5.2 ,e$ure Routi"-
This approach attempts to design secure routing protocols for ad hoc networks. These protocols are either completely
new stand/alone
protocols, or in some cases
incorporations of security mechanisms into e*isting protocols like A#+< and +!8. Lenerally the e*isting secure routing protocols that have been proposed can be broadly classified into two categories, those that use hash chains, and those that in order to operate re-uire predefined trust relationships. The !ecure fficient Ad hoc +istance vector routing protocol (!A+) 9&>: employs the use of hash chains to authenticate hop counts and se-uence numbers. !A+ is based on the design of the proactive ad hoc routing protocol +!+<. The !A+ protocol has as minimum re-uirement re-uirement the
utili7ation utili7ation of a clock synchroni7ation synchroni7ation mechanism mechanism or the
establishment of a shared secret between each pair of nodes. t provides loop freedom and protects the nodes from impersonation and several other attacks. Another secure routing protocol is Ariadne 9&>:. $nlike !A+, Ariadne is based on a reactive protocol, namely +!8, and it follows an end/to/end approach for building a security mechanism. Ariadne assumes the e*istence of a shared secret key between two nodes and uses a message authentication code (AD) in order to authenticate point/to/point messages between nodes 9&>:. An additional routing protocol that utilises hash chains to provide security features is the !ecure Ad hoc #n/demand +istance <ector <ector (!A#+<) 9&>:. !A#+< proposes a set of e*tensions that secure the A#+< routing packets. packets. 2or authenticating authenticating the
non/
mutable fields it uses cryptographic signatures, while one/way hash chains are used for securing every different route discovery process. n order to carry out the asymmetric cryptography it rere-uir uires es the e*istence of a key management mechanism. The Authenticated 8outing for Ad hoc Networks (A8AN) protocol 93':, falls into the second category of protocols that re-uire predefined trust relationships. A8AN is a stand/ alone protocol that utili7es cryptographic public/key certificates in order to achieve the security goals of authentication and non/repudiation. The protocol assumes that each node 35
knows a priori the public key of the certification authority that will be used to authenticate the other participating nodes. Another protocol is the !ecurity/aware Ad hoc 8outing (!A8) 9&4: that e*tends on/demand ad hoc routing protocols like A#+< and +!8. The main aspect of !A8 is that it introduces a new security metric in the route discovery and maintenance process, treating secure routing as a -uality of service (Jo!) issue. !A8 uses security attributes such as trust values and trust relationships in order to define this metric. ts operation is applicable in situations where a route that satisfies certain security re-uirements is more important and therefore preferable than any other route that satisfies satisfies other re-uirements re-uirements (i.e. shortest shortest path). The The final
secure routing routing
protocol to be presented is the !ecure 8outing rotocol (!8) 9&5:. !8 is a set of security e*tensions that can be used in any protocol that uses broadcasting and route -ueuing methods although the authors suggest that +!8 is a particularly particularly appropriate choice. The operation of !8 re-uires the e*istence of a security association between the source node that engages the route discovery process and the destination node. $pon the establishment of the security association the nodes share a secret key that is further used by the protocol.
2.6 I"trusio" Dete$tio" ,stems
+ue to the different nature of ad hoc networks, the re-uirements of an intrusion detection component designed to operate in ad hoc mode should fulfill the following% •
t should not introduce a new weakness for the system. deally it should ensure its own integrity.
•
t should re-uire minimum resources to run and it should not degrade the system performance by introducing additional overhead.
•
t should run continuously and remain transparent to the system and the users.
n the following sections some of the intrusion detection works in the field of ad hoc networking are presented. 9>:.
%$n thi thiss syst system em,, a realistic analytical model of the A#+< A#+< route ac-uisition process is developed and the the work is e*tended to derive a classification classification scheme for misbehaving 3>
nodes, including including nodes of black black hole behaviors .
The system system approach is described as
follows% 1'
A"#l A"#lt ti$# i$#ll
mode modell
o!
probability probabili ty density function functi on
ro rout utee
#$ #$3u 3uis isiti itio" o"
model predicts predicts the pro$ pro$es ess: s: This model
of estimated route route lengths lengths,,
a
powerf powerful ul
metric metric
fo for r
characteri7ation of the network behavior. The derived probability density func tion p(d) and the correspo corresponding nding probabili probability ty distrib distribution ution function (d) are given in e-uations below. +etailed discussion discus sion on the derivation of the e-uations is discussed in 9F:. The p(d) describes the statistical relation relat ion between the distance of two nodes and the corresponding probability of being connected ed,, while while ( (d) d) gives gives the ro route ute length length distrib dist ribution ution in the ne twork. The variable distance d represents represent s the distance between source and destination.
2' )is*e%#8i"- "odes e!!e$t: They e*tend the model to cover the effect of the node
misbehavior94:. misbehavior94 :. That is the deformation of the probability distribution when misbehaving node nodess are pres resent. ent. The def defor orma mati tion on all allo ows them them to differentiate between the normal behavior and the node m isbehavior.
!tamouli,, Argyroudis and Tewari 9E: designed a 8ea l/time ntrusion !tamouli ntrusi on +etection
for Ad
hoc Networks (8+AN) (8+AN) system that adopts specification/based detection techni-ue and performs countermeasure counter measuress to minimise the damage from the attacks. 8+AN details are as follows%
3?
(T2!s) process, which 1' Ar$%ite$ture: 8+AN utilises the timed finite state machines (T2!s) is an e*tended finite state machine model with time states and timed constraints on the state transition process.n order to recognise the pa tterns occurring when an attack is launched, the generated A#+< is analysed in both its normal operation state and when an attack is in progress. The timers that control the transition between the states states of the T2!s are derived from theoretical research and practical e*per imentation.
T2!s@ design and operation, a node in 2' Dete$tio" #"d $ou"terme#sure: $ ou"terme#sure: Based on the T2!s@ 8+AN decides if it shou ld either trust another node or must go to an alarm state and take countermeasure against iit. t. The countermeasure countermeasure action includes isolating isolating the th e of offending fending node for a finite time period in order to avoid avoid
possible possible
false
positive. positive. 8+AN 8+AN
implements two different different T2!s to correctly identify the black hole attack but owing to the limited space, we only present one T2! as shown in 2ig. 3, which is used to detect first black hole attack. This T2! is triggered triggered whenever a node initiates a route discovery process. n state &, if a Route Reply message does not arrive within a predefined ( NET_TRAVERSAL_TIME NET_TRAVERSAL_TIME ), ),
th e
time
peri od
T2! timeouts ( Tout_RESET ) and resets to its
initial state (init_).$p ).$pon on receiving the first RRE! , the state 3 of T2! checks if the included destination se-uence number ( RRE!_dest_se"# RRE!_dest_se"# ) is suspicious suspiciously ly much higher than the se-uence number inc lude uded in Route Re"uest (ori$_dest_se"# )).. suspiciously higher, it goes directly to the alarm state ( Alarm).
f it is not, it remains in the same state for time t .
f the the tim timer er
e*p e*pire ress with withou outt
receiving another Route Reply, it resets normally ( N_RESET within in the the time time limit imit N_RESET )).. f with another Route Repl y arrives, the validity of the destination se-uence number is checked again in state 5 and similarly a decision decision is taken whether whether to move to an alarm state. state. hen an alarm occurs, the source node must not update its routing table with the forged routing information. The ne*t step is is to reset ( A_RESET A_RESET ) the T2! to its initial state (init _).
2.6.( Dynamic Training Training Approach
Murosawa, Nakayama, Mato, amalipour and Nemoto 93: also adopted an anomaly/based detection techni-ue but incorporated dynamic dynamic training training techni-ue. n this approach, the normal state views are updated periodically to adapt to the fre-uent network changes and
@clustering/based@ techni-ue is adopted to identify nodes that deviate from the th e normal state. They have adopted the following ?/step process %
features 1' /e#ture sele$tio": Three features
are selec selected ted to e*press e*press a normal normal state of of the
network. netwo rk. The networ work k state in time time slot i, is e*pressed by three/dimensional vector %i O ( % %i& '%i2 ' %i(). The selected features are % a) total number of sent out 88J b) total number of received rece ived 88 c) average of destination de stination se-uence difference in each time slot between the 88 se-uence number and the one held in the list
2' C#l$ul#te me#": The mean mean vector vector values values of these features features are calculate calculated, d, as
shown in (&) where ) represents training data set for N time slot. )
*
=
& N
N
∑ Pi QQQQQQ..(&) i =&
Ne*t, we ca lcula te the distan ce from input data sa m ple * to the mean vector *R +
from -ua tion (3). )
d+*,
=
*- *
3
QQQ.(3) 3F
hen the dista nce is larger than the thr eshold Th (which means it is out of range as normal tr a ffi c), it will be 0udged as an attack ( -ua tion (5)). d(*) S Th % a tta ck d(*) Th % normal 1et UT' be the first time interval for a node participating in ANT. ANT. By using data
collected in this time interval, the initial mean vector is calculated, then calculated mean vector will be used to detect the attack in the ne*t period time interval . f the state in UT is 0udged as a s normal, then the corresponding data set will be used as learning data set. set. #the #therw rwis ise, e, it will will be trea treate ted d as data data inclu ncludi ding ng atta attack ck and and it will will be conse-uently discarded. This way, system keep on learning the normal state of network. By doing this, system update the training data set to be used for the ne*t detection. Then the mean vector, which is calculated from the training data set is used for detection of ne*t data. By repeating this for every time interval UT,, we ca UT can n perf perfor orm m anom nomaly aly dete detec ction tion whic which h ca can n adap adaptt to AN ANT T environment.
(' C#l$ul#te t%res%old:
The threshold value is dynamica dynamically lly updated updated using the data data
collected in the time interval. f the initial training data were used, then the system could not adapt the changing environment. The threshold value is the average of the difference of destVse-Vno in each time slot between the se-uence number in the routing table and the 88 packet. The time interval to update the threshold value is as soon as a newer node receives a 88 packet. As a new node receives a 88 for the first time, it gets the updated value of the threshold.
. artin 1eo anickam anickam and !.!hanmugavel !.!hanmugavel 95: 95: proposed proposed , a 2u77y based Trusted Trusted Ad hoc #n demand demand +istance +istance <ecto <ectorr (2TA (2TA#+ #+<) <) routing routing
protoco protocoll withou withoutt making making any
e*traneous e*trane ous assumptions assumptions in the e*isting A#+< A#+< protocol is proposed. proposed. All nodes in the network independently independently e*ecute the fu77y fu77y trust model to derive trust on its neighbors 34
The proposed proposed 2u77y based Trust model is integra ted with A#+< A#+< reactive routing protocoll as protoco a s shown sh own in figu fi gure re 3.4& 3. 4&.. The trust tru st model consists consist s of following foll owing four componen comp onents, ts, namely nam ely
Trust Trust
<erif <erifica icatio tion, n,
A#+< A#+<
routi routing ng
e*traction and 2u77y based Trus t computation.
protocol, 2u77y 2u77y input input parame parameter ter
+uring
Trust
<erification,
each
node verifies verifies the trust worthiness worthiness of the neighbor from which it receives the control packet. n A#+< routing protocol, no node dess will will inte intera ract ct on only ly with ith the the tr trus uste ted d neighbors. +uring 2u77y input parameter e*traction, each node monitors its neighbors based on directly e*per iieenced events. +uring +uring 2u77y 2u77y based Trust computati computation, on, the amdani based 2u77y model 93?: is used to compute the trust from the monitored events to have a direct trus t on its neighbors. These computed trust levels are then associated with the routing process in A#+< protocol.
/i-ure 2.> : /TAOD Routi"- )odel
/i-ure 2.? : T%e /u ,stem
Based Base d
on
amdani amdani
2u77y 2u77y
model, model,
each
node computes computes the trust value for its
neighbors and maintained in the nei$.or ta.le. The trust value lies between ' and &'. &'. +epending +ependi ng upon the trust level, malicious malicious behavior behavior of a node is determined, determined, where ' trust value indicates the complete malicious behavior and trust value indicates a legitimate node. 3I
+uring Trust <erification, <erification, each node verifies whether the control packet is sent by a trusted neighbor or not. A neighbor is said to be trusted when its trust value is greater than or e-ual to the Tresold Trust Value (TT<). t is the trust value below which a node is considered to be malicious.
Nodes discard the pack eetts received received from an untrusted untrusted
neighbor.
5'
CHAPTER ( : PROE) /OR)UATION Dhapter Dha pter 3 presen presented ted a litera literature ture review review on on diffe different rent s e cu r it y i ss u e s i n
ANT ANT and
vario various us intrusi intrusion on detect detection ion system systemss devel develope oped d for A#+ A#+< < in AN ANT T. 2o r th e ro u te discovery, A#+< (Ad hoc #n/demand +istance <ector routing) is a popular on demand routi rou ting ng protoc protocol ol fo forr mobil mobilee ad hoc netwo network. rk. A#+< A#+< becom becomes es one of the the pr prom omis ising ing protocols currently available for the mobile ad hoc network because of its moderate overhead over headss and dynami dynamicall cally y adapting adapting the routing routing topology topology better better than other proposed proposed protocols for ANT. ANT. t is designed for mobile ad hoc network, where there are often changes in the network network topology. topology. A#+< popularity popularity motivated motivated many researchers researchers to work wor k on its enhancem enhancements ents for differ different ent situati situations ons H rectify rectifying ing differe different nt problem problems. s. ntruders usually take part in route discovery process and pretends to have a fresh and shortest route route to destination. destination. This chapter discusses current int intrusion rusion detection detection strategy util utili7e i7ed d by A#+< A#+<.. !ect !ection ion 5.& 5.& di discu scusse ssess route route disco discover very y pr proce ocess ss of A#+< #+< and management of routing table. !ection 5.3 describes the formation of blackhole in A#+<. !ection !ectio n 5.5 discusses issues in detection systems which became the basis to propose 2u77y Based ntrusion +etection !ystem against Blackhole in A#+< in chapter >. (.1 Route Dis$o8er #"d Routi"- t#*le i" AOD
Ad/hoc #n/+emand +istance <ector (A#+<) 8outing rotocol is used for finding a path to the destination in an ad/hoc network. To find the path to the destination all mobile nodes work in cooperation using the routing control messages. Thanks to these control messages, A#+< 8outing rotocol offers -uick adaptation to dynamic network conditions, low processing and memory overhead, low network bandwidth utili7ation with small si7e control messages. The most distinguishing feature of A#+< compared to the other routing protocols is that it uses a destination se-uence number for each route entry. The destination se-uence number is generated by the destination when a connection is re-uested from it. $sing the destination se-uence number ensures loop freedom. A#+< makes sure the route to the destination does not contain a loop and is the shortest path. 8oute 8e-uests (88Js), 8oute 8eplay (88s), 8oute rrors (888s) are control messages used for establishing a path to the destination, sent using $+ protocols. hen the source node wants to make a connection with the destination node, it broadcasts an 88J message. This 88J message is propagated 5&
from the source, received by neighbors (intermediate nodes) of the source node. The intermediate nodes broadcast the 88J message to their neighbors. This process goes on until the packet is received received by destination destination node or an intermediate node that has a fresh enough route entry for the destination. 2igure 5.& shows how the 88J message is propagated in an ad/hoc ad /hoc network.
/i-ure (.1: ro#d$#st RRE; p#$ket < Route T#*le
Afterwards the 88 message is unicasted to the source node. The difference between the broadcasting an 88J and unicasting 88 can be seen from 2igures 5.& and 5.3. hile the 88J and the 88 messages are forwarded by intermediate nodes, intermediate intermedi ate nodes update their routing tables tables and save this route entry for 5 seconds, seconds, which is the ADT<V8#$TVT#$T constant value of A#+< protocol. Thus the node knows over which neighbor to reach at the 35 destination. n terminology, the 53
neighbor list for destination is labeled as recursor 1istC. 2igure 5.3 shows how the 88 message is unicasted and how the route entries in the intermediate nodes are updated.
An important thing to note during route discovery is each H every node maintains ne*t hop only in their routing tables. No other information related to the nodes on the routes is maintained. !e-uence Numbers serve as time stamps and allow nodes to compare how fresh their information on the other node is. "owever when a node sends any type of routing control message, 88J, 88, 888 etc., it increases its own se-uence se-u ence number. "igher se-uence se-uenc e number is more accurate information and whichever node sends the highest se-uence number, its information is considered and route is established over this node by the other nodes.
55
The se-uence number is a 53/bit unsigned integer value (i.e., >3I>IEF3I?). f the se-uence number of the node reaches the possible highest se-uence number, >3I>IEF3I?, then it will be reset to 7ero ('). f the results of subtraction subtrac tion of the currently curr ently stored sto red se-uence se-u ence number in a node and the se-uence number of incoming A#+< route control message is less than 7ero, the stored se-uence number is changed with the se-uence number of the incoming control message. n 2igure 5.5, while Node 3 forwards the 88 message coming from Node 5, it compares its own previously stored se-uence number with that of Node 5. f it notices that the se-uence number is newer than its own, then it changes its route table entry as necessary.
Black "ole Attack is briefly e*plained in the previous Dhapter. This Dhapter will e*plain it in more detail as it has already e*plained e*plained the A#+< A#+< protocol. protocol. n an ad/hoc network network that 5>
uses the A#+< protocol, a Black "ole node absorbs the network traffic and drops all packets. To e*plain the Black "ole Attack it added a malicious node that e*hibits Black "ole behavior in the scenario of the figures of the previous section.
n this scenario scenario shown shown in 2igure 2igure 5.>, assume assume that Node 5 is the malicio malicious us node. hen Node & broadcasts the 88J message for Node >, Node 5 immedia immediately tely responds to No Node de & with an 88 message that includes the highest se-uence number of Node >, as if it is coming from Node >. Node & assumes that Node > is behind Node 5 with & hop and discards the newly received 88 packet come from Node 3. Afterwards Afterwards Node & starts to send out its data packet to the node 5 trusting that these packets will reach Node > but Node 5 will drop all data packets.
n a Black "ole Attack, after a while, the sending node understands that there is a link error because the receiving node does not send sen d TD ADM packets. f it sends out o ut new n ew TD data packets and discovers a new route for the destination, the malicious node still manages to 5?
deceive the sending node. f the sending node sends out $+ data packets the problem is not detected because the $+ data connections do not wait for the ADM packets.
(.( Import#"t Issues i" Dete$tio" sstems
The following are various important issues identified in the detection systems that are currently used in A#+<. •
As discussed in the last chapter 8+AN ntrusion +etection !ystem uses the se-uence number transmitted transmitted in 88 88 packet of A#+< by sub0ective node.But the se-uence no. increasess according to the number increase number of connection with with destination destination node. !o the direct direct value of this number can not completely define the behavior of a node.
•
n the centrali7ed approach of detection systems, a single node in the network has to decide the behavior of participating node, which can make the system unstable, as failure of that node can down the network.
•
n the Dooperative Dooperative ntrusion +etection !ystem, a node@s node@s blackhole behavior is decided by calculating the forward packet ratio. By the time, blackhole behavior is detected, a number of packets are dropped by node.
!o for a successful successful detection detection system, neither a single single factor factor is enough nor nor a single node node can completely define the misbehavior of a node. ntrusion detection system based on one factor generates number of false alarms. The time period for detection is also greater, which is responsible responsible for more packet drop ratio. f the system rely on single node for gene generating rating the alarms, it will increase the processing load on a single node, as it has to go through the complete information passed by other nodes. Thus making the detection process a lot slower. The detection system can be made to work more efficiently, if we combine the above discussed factors for the detection process in a single system and is used by every node in the network rather to be used by only one node. A Also lso we have promiscuous promiscuous mode in the A#+< A#+<,, in which a node can listen the activities of other neighboring nodes and can check the behavioral characteristics of its immediate neighbors. !o, am using both factors, destination se-uence number transmitted in the 88 packet and forward data packet ratio for the detection of blackhole node in the promiscuous mode.
5E
CHAPTER CHAP TER 4: /UB /UB O=IC A,ED INTR INTRU,ION U,ION DETECTI DETECTION ON ,B,TE)
This is the proposed intrusion intrusion detection system to detect the blackhole attack on A#+< in ANTs. This detection system is based on 2$WWX 1#LD and various issues identified in intrusion detection systems in section 5.5. As discussed in section 5.5, the ma0or issue in various detection detection systems is the use of only one factor for the identification identification of misbehavior of a node and also some detection systems use centrali7ed approach for the detection purpose. The system proposes the improvement by making
use of two factors i.e.
destination se-uence number and forward packet ratio for the detection system. had implemented these factors using 2u77y 1ogic, which is a problem solving control system methodology. 2u77y 1ogic provides a simple way to arrive at a definite conclusion based upon vague, ambiguous, impressive, noisy or missing input information. This chapter discusses the detailed concept of proposed system.
4.1 /u o-i$
2u77y 2u 77y logic logic is a fo form rm of multi/valued logic derived from fu77y set theory to deal with reasoning that reasoning that is appro*imate rather than precise. n contrast with =crisp logic=, where binary sets have binary logic, fu77y logic variables may have a truth value that ranges between ' and & and is not constrained to the two truth values of classic propositional p ropositional logic log ic 954:. 2urthermore, when linguistic variables are used, these degrees may be managed by specific functions. 2u77y logic incorporates a simple, rule based approach to solving a problem rather than attempting to model a system mathematically. mathematicall y. The The 2u77y logic log ic model is empiric empirically ally/base /based, d, relying relying on an operato operator@s r@s e*perie e*perience nce rather rather than than their their technic technical al understanding of the system. 2u77y logic was conceived as a better method for sorting and handling data but has proven to be an e*cellent choice for many control system applications since it mimics human control logic. t uses an imprecise but very descriptive language to deal with input data more like a human operator. The fu77y logic is the best methodology that can be adopted for decision making problems. The various advantages of fu77y logic system are discussed as follows % 5F
•
2u77y logic is conceptually easy to understand. The mathematical concepts behind fu77y reasoning are very simple. hat makes fu77y nice is the naturalnessC of its approach and not its far/reaching comple*ity.
•
2u77y logic is fle*ible. ith any given system, it@s easy to massage it or layer more functionality on top of it without starting again from scratch.
•
2u77y logic is tolerant of imprecise data. verything is imprecise if you look closely enough, but more than that, most things are imprecise even on careful inspection. 2u77y reasoning builds this understanding into the process rather than tacking it onto the end.
•
2u77y logic can model nonlinear functions of arbitrary comple*ity. Xou can create a fu77y system to match any set of input/output data.
•
2u77y logic can be blended with conventional conventional control techni-ues. techni-ues. 2u77y systems don@t neces necessar sarily ily replac replacee co conve nventi ntiona onall co contr ntrol ol metho methods. ds. n many many cases cases fu77y fu77y sy syste stems ms augment them and simplify their implementation.
•
2u77y logic is based on natural language. The basis for fu77y logic is the basis for human communication. communication. This observation underpins many of the other statements statements about fu77y logic. Natural Natural language is that which is used by ordinary people on a daily basis. !entences !entenc es written in ordinary language represent a triumph of efficient efficient communication. communication. e are generally unaware of this because ordinary language is, of course, something we use every day. !ince fu77y logic is built atop the structures of -ualitative description used in everyday language, fu77y logic is easy to use.
4.1.1 /u ,ets
2u77y logic starts with the concept of a fu77y set. A fu77y set is a set without a crisp, clearly defined boundary. t can contain elements with only a partial degree of membership. n fu77y logic, the truth of any statement becomes a matter of degree. Any statement can be fu77y. The tool that fu77y logic reasoning gives is the ability to reply to a yes/no -uestion with a not/-uite/yes/or/no answer. This is the kind of thing that humans do all the time (think how rarely you get a straight answer to a seemingly simple -uestion) but it@s a rather new trick for computers.
4.1.2 )em*ers%ip /u"$tio"s
54
The membership membership function is a graphical graphical representation of the magnitude magnitude of participation participation of each input. t associates a weighting with each of the inputs that are processed, define functional overlap between inputs, and ultimately determines an output response. The rules use the input membership values as weighting factors to determine their influence on the fu77y output sets of the final output conclusion. #nce the functions are inferred, scaled, and combined, they are defu77ified into a crisp output which drives the system. There are different membership functions associated with each input and output response.
4.1.( /u o-i$ Oper#tors
2u77y logic is a superset of standard Boolean logic. f we keep the fu77y logic values to the e*tremes of & (completely true) and ' (completely false), standard logical operators will hold.
/i-ure 4.1: /u o-i$ Oper#tors
The input values can be real numbers between ' and &. hat function will preserve the results of the classical logic truth table and also e*tend to all real numbers between ' and &.#ne answer is the min operation. e can replace the #8 operation with the ma* function, so that A #8 B becomes e-uivalent e-uivalent to ma* (A, B). 2inally the operation operation N#T A becomes becomes e-uivalent to the operation &/A. 2u77y intersection or con0unction (AN+), fu77y union or dis0unction (#8), and fu77y complement (N#T) can either be defined using the classical operators for these functions% AN+Omin, #8Oma*, and N#TO additive complement or using usi ng custo customi mi7e 7ed d functi functions ons.. 2u77y 2u77y logic logic
uses uses the classic classical al ope opera rator tor for the fu77y fu77y
complement, but the AN+ and #8 operators can be easily customi7ed if desired.
4.1.4 I/+THEN Rules
5I
2u77y sets and fu77y operators are the sub0ects and verbs of fu77y logic. These 2/T"N rule statements are used to formulate the conditional statements that comprise fu77y logic. A single fu77y 2/T"N rule assumes the form 2 * is A T"N T"N y is B where A and B are linguistic values defined by fu77y sets on the ranges (universes of discourse) * and y, respectively. respectively. The The 2/part of the rule * is AC is called the antecedent or premise, while the T"N/part of the rule y is BC is called the conse-uent or conclusion. nterpreting 2/T"N rules is a three/part process. n general, one rule by itself doesn@t do much good. hat@s needed are two or more rules that can play off one another. The output of each rule is a fu77y set. The output fu77y sets for each rule are then aggregated into a single output fu77y set. 2inally the resulting set is defu77ified, or resolved to a single number. The ne*t section shows how the whole process works from beginning to end for a particular type of fu77y inference system called a amdani type.
4.1.5 /u I"!ere"$e ,stems
2u77y inference inference is the process of formulating the mapping from a given input to an output using fu77y logic. The mapping then provides a basis from which decisions can be made, or patterns discerned. The process of fu77y inference involves all of the pieces that are described in the previous sections% membership functions, fu77y logic operators, and if/ then rules. There are various types of fu77y inference systems that can be implemented in the 2u77y 1ogic, e.g % amdani/type and !ugeno/type. These two types of inference systems vary somewhat in the way outputs are determined. 2u77y inference systems have been successfully applied in fields such as automatic control, data classification, decision analysis, e*pert systems, and computer vision. Because of its multidisciplinary nature, fu77y inference systems are associated with a number of names, such as fu77y/rule/based systems, fu77y e*pert systems, fu77y modeling, fu77y associative memory, fu77y logic controll cont rollers, ers, and simply simply (and ambiguo ambiguously usly)) fu77y fu77y system systems. s. amdani amdani@s @s fu77y fu77y inferenc inferencee method is the most commonly seen fu77y methodology. amdani/type inference e*pects the output membership functions to be fu77y sets. After the aggregation process, there is a fu77y set for each output variable that needs defu77ification. t@s possible, and in many cases much more efficient, to use a single spike as the output membership function rather than a distributed fu77y set. This is sometimes known as a singleton output membership >'
function, and it can be thought of as a pre/defu77ified pre/defu77ified fu77y set. t enhances the efficiency of the defu77ification defu77ification process because it greatly simplifies simplifies the computation computation re-uired by the more general amdani method, which finds the centroid of a two/dimensional function. 8ather than integrating across the two/dimensional function to find the centroid, we use the weighted average of a few data points. !ugeno/type !ugeno/type systems support this type of model. n general, !ugeno/type systems can be used to model any inference system in which the output membership functions are either linear or constant. The parts of fu77y nference process are as shown in the block diagram below.
The first step is to take the inputs and determine the degree to which they belong to each of the appropriate fu77y sets via membership membership functions. The input is always always a crisp numerical numerical value limited to the universe of discourse of the input variable and the output is a fu77y degree of membership.
f the antecedent of a given rule has more than one part, the fu77y operator is applied to obtain one number that represents the result of the antecedent for that rule. This number will then be applied to the output function. Any number of well/defined methods can fill in for the AN+ operation or the #8 operation. n fu77y logic toolbo*, two built /in AN+ methods are supported% min (minimum) and prod (product). (product). Two Two built /in #8 methods are also supported% ma* (ma*imum), and the probabilistic #8 method probor.
The implication method is defined as the shaping of the conse-uent (a fu77y set) based on the antecedent (a single number). The input for the implication process is a single number >&
given by the antecedent, and the output is a fu77y set. mplication occurs for each rule. Two built /in methods are supported, min (minimum) which wh ich truncates the output fu77y set, and prod (product) which wh ich scales the output fu77y fu 77y set.
Since decisions are based on the testing of all of the rules in an FIS, the rules must be combined in some manner in order to make a decision. Aggregation is the process by which the fuzzy sets that represent the outputs of each rule are combined into a single fuzzy set. Aggregation only
occurs
once
for
each
output
variable,
just
prior
to
the
defu de fuzz zzi ica cati tion on.. !h !he e inpu inputt of th the e ag aggr greg egat atio ion n pr proc oces ess s is the the li list st of truncated output functions returned by the implication process for each rule. !he output of the aggregation process is one fuzzy set for each output variable.
4.1.5.5 De!ui!i$#tio"
nput for defu77ification phase is unified fu77y set formed by aggregation of conse-uents and output is crisp number. f there are more than one output variables, final output for each variable is a crisp number. The most popular defu77ification method is the centroid calculation, which returns the center of area under the curve. There are five built /in methods supported% centroid, centroid, bisector, middle of ma*imum ( the average of the ma*imum value of the output set), largest of ma*imum, and smallest of ma*imum.
4.2 Proposed ,stem
n proposed system , integrated 2u77y logic with A#+< reactive routing protocol and a proposed system is developed deve loped as shown in figure figur e >.5 n figure >.5 >.5 the high/level high/level architecture architecture of the the pro posed pos ed system@s system@s logical components components are shown. sho wn. The T he 2u77y parameter e*traction module mod ule listens to the traffic traffic of its its neighboring neighboring nodes in in the prom promiscu iscuous ous mode mode and selects selec ts the factors on which the fu77y rules will will be implem implemented. ented. The 2u77y computation module computes the fidelity level of respective node according to the rules formulated for the system on the basis of parameter e*tracted in the previous unit.
>3
The fu77y verification model verifies the fidelity level of the node and checks the behavior of the node. no de.
/i-ure 4.( T%e proposed sstem model
The final component of the architecture is the alarm alarm module that is responsible for taking the appropriate measures to keep the network performance within acceptable performance measures. Therefore, Therefore, the 2u77y 2u77y based intrusion intrusion detection components components operates between the network traffic traffic and the routing protocol re-uiring re-uiring minor modifications modifications to the routing protocol that is utili7ed u tili7ed in the network. The 2u77y 2u77y based intrusion detection system runs locally in every participating node and it makes decisions decisions upon the partial view of the traffic that it observes. t completes completes the the solution by generating generating the alarm packets packets to take countermeasures countermeasures for the isolation of the detected misbehaving node and to keep the performance of the network within acceptable limits.
4.2.1 /u p#r#meter E0tr#$tio"
The input to the 2u77y !ystem in node iC is e*tracted by listening to the traffic received and generated by its immediate neighbors and created a 2u77y parameter list in new >5
neighbor table for its every neighbor. The neighbor table of node i/ has the following fields for its neighbor node 0/ % 2orward acket 8atio % it is the ratio of data packets forw forwar arde ded d by no node de 0 to th thee da data ta pa pack cket etss re rece ceiv ived ed by no node de 0 (if (if no node de 0 is no nott the the destination),Average +estination !e-uence Number and 2idelity 1evel C. /orw#rd P#$ket r#tio % f a route has been established through node 0, node i in its
imme im media diate te neighb neighborh orhood ood will liste listen n th thee tr traf affi ficc throu through gh node node 0. f node node 0 is not the the destination, destinat ion, it must forward every data packet it is receiving from its neighbor in the route. !o the neighbor node of 0 will activate their promiscuous mode and will listen to the traffic traffic through node 0 and calculate the forward packet ratio, which is given by %
/orw#rd p#$ket r#tio (of node 0 as seen by node i) : &D#t# p#$kets p#$kets /orw#rded' &D#t# P#$kets P#$kets Re$ei8ed' Re$ei8ed'
A8e r# r# -e -e
D es es ti ti "# "# ttii o" o" , e3 e3 ue ue "$ "$ e N um um *e *e r :
n 88 88 packet packet,, destin destinati ation on
transmits its updated se-uence number. The se-uence number will depend upon the number of connections of that respective node in the network. f a node is a b bla la c kh o le n o de , it wi ll tr an s mi t h ig h es t s e- ue nc e nu mb er an d pr et en ds t o be destination. !o we can check the behavior of node according to the se-uence number,, it is transmitting in its reply packet. To check number check out the variations in the se- uen ce nu mbe r, nod e i is cal cul at ing the averag averagee of of tthe he dif diffe fere rence nce of desti destina nati tion on se-uence se-ue nce number number in each time slot between between the previous se-uence number number in the neighbor list for node 0 and current current se-uence number number in the 88 88 packet. packet. The time time interval interval to update the Average +estination !e-uence number is as soon as a node transmits a 88 packet.
4.2.2. /u Comput#tio"
The proposed fu77y system with two inputs namely, forward packet ratio, +estination se-uence number ratio and one output, 2idelity 1evel. The rule bases of the evaluator is shown sho wn in Tab l e > .& . The The bases bases of func functions are chose chosen n
so that that they they re resu sult lt in
optimal value value of performance performance measures. measures. 2rom the crisp crisp value value of input input variable variables, s, the the fu77y values are calculated through membership functions of input shown in figure >.>(a) >>
and >.>(b) >.>(b) and and fu77y rules rules are are applied. applied. To illustrate illustrate one rule, the first first rule rule can can be inte interp rpre rete ted d as, as, f f 2orward acket 8atio is 1# and !e-uence Number Number ratio is 1#,, then 2idelity level is 1# . !imilarly the other rules are framed. 1#
! .N
2orward acket
Average Av erage +estination
8atio
!e-uence Number
2idelity 1evel
&
1#
1#
1#
3
1#
+$
1#
5
1#
"L"
1#
>
+$
1#
+$
?
+$
+$
+$
E
+$
"L"
1#
F
"L"
1#
"L"
4
"L"
+$
"L"
I
"L"
"L"
1#
Ta Table ble >.&% 2u77y 8ules
2orward acket 8atio membership function
(b) Average Average +estination !e-uence Number membership function
>?
(c) #utput 2idelity 1evel embership function
/i-ure 4.4 : I"put #"d Output mem*ers%ip !u"$tio"
Based
on
amdani
2u77y
model,
each
node computes the fidelity fidelity level for its
neighbors and maintained in the nei$.or ta.le. The fidelity fide lity lev el lies between between ' and &'. inimum value for for fidel fi delity ity can occur as a result of more malicious malicious behavior than legitimate behavior of a neighboring node. "ence, a fidelity level of ' represen t complete malicious malicio us behavior and &' &' represent represent legitimate behavior behavio r of a particul particular ar node. node.
4.2.( /u eri!i$#tio" )odule
The calculated fidelity level is compared with a threshold value and module decides whether a node is blackhole node or a normal node.
4.2.4 Al#rm p#$kets
#n the basis of information passed by 2u77y verification module, if the fidelity level is less than the threshold fidelity fidelity level, this module generates the alarm packet with address of node, that is declared as blackhole node. !o the blackhole is isolated from the network.
4.( Proposed )et%odolo- ,tep1 : !witch on the promiscuous mode of the nodes. ,tep2 : Donstruct a neighbor list of the every node in the network.
ach no node de in th thee netw networ ork k calc calcul ulat ates es the the fo forw rwar ard d pa pack cket et ra rati tio o of thei their r ,tep(: ach neighbors, which is given as % >E
2orward packet ratio % (+ata packets 2orwarded)
(+ata ackets 8eceived)
and average destination se-uence number that is calculated from se-uence number sent in 88 packet by that node (if the neighbor is neither source or destination), is given as % average se-uence ratio O (fu77yVcount P average se-uence ratio) Y (se-no Z fu77yVlse-no)) fu77yVlse-no)) YY( fu77yVcount) where fu77yVcount is number of times, a node is listening reply from same node, se-no is current curr ent se-uence se-uence number in the 88 88 packet and fu77yVl fu77yVlse-n se-no o is previous previous se-uence se-uence number transmitted by the node. seudo codes for parameter calculations are given in Appendi* A ,tep4 : 2u77ify these two inputs according to the triangular membersh membership ip functions defined
for the inputs. ,tep5 : Apply the fu77y rule base on fu77ified inputs. ,tep6 : 2ind out fu77y output based on the rules formulated. ,tep9 : Dalculate the crisp output value from fu77y output value. ,tep> : Dompare this output value with threshold value.
(taken as ?) , the node is declared as ,tep? : f output in step F is less than threshold value (taken blackhole node. ,tep1: Lenerate and transmit alarm packet with address of detected blackhole node.
The alarm packets are received by nodes in the network. ach node in the network maintains the blacklist of malicious nodes of the network. The address of blackhole node is stored in this list and further communication with this node is avoided.
4.4 /low C%#rt o! Proposed Proposed )et%odolo-:+ )et%odolo-:+ The flow chart of proposed methodology is
described in figure >.?.
>F
ake the neighbors list
Xess Xe
f
*it
neighbor is source
or
destination
No Dolle Do llect ct th thee fu77y fu77y pa para rame mete ters rs for for each each neighbor node
2u77ification
8ule Base Leneration
+efu77ification (output in the form of fidelity level)
CHAPTER 5 : ,I)UATION DETAI, Network !imulator/3 (N!/3) 9?: from Berkeley has been used to simulate the ad/hoc routing protocols. To simulate the mobile wireless radio environment mobility e*tension to ns devel develope oped d by the D$ D$ monar monarch ch pro0e pro0ect ct at Da Darne rnegi giee ell ellon on $nive $niversi rsity ty had had be been en utili7ed.
5.1 Network ,imul#tor
Network simulator/3 is the result of an on/going on/g oing effort of research researc h and development that is adminis adm inistrat trated ed by researc researchers hers at Berkele Berkeley y. t is a discret discretee event event simulat simulator or target targeted ed at networking research. t provides substantial support for simulation or TD, routing, and multicast protocols. 2rom users view the simulators works as follows%
/i-ure 5.1 ,impli!ied Users iew o! N,
As shown in 2igure ?.&, in a simplified user6s view, N! is #b0ect/oriented Tcl (#Tcl) script interpreter that has a simulation event scheduler and network component ob0ect libraries, and netwo network rk setup setup (plum (plumbin bing) g) modul modulee libra librari ries es (a (actu ctual ally ly,, plumb plumbing ing modul modules es are imple im pleme mente nted d as memb member er functi functions ons of th thee base base simula simulato torr ob0ec ob0ect) t).. To setup setup and run a simulation network, a user should write an #Tcl script that initiates an event scheduler, sets up the network topology using the network ob0ects and the plumbing functions in the library, and tells traffic sources when to start and stop transmitting packets through the event scheduler
>I
The simulator is written in DYY and a script language called #Tcl. Ns use an #Tcl interpreter towards the user. This means that the user writes an #Tcl script that defines the network (number of nodes, links), the traffic in the network (sources, destinations, type of traf traffi fic) c) and and whic which h pr prot otoc ocol olss it wi will ll use. use. This This scri script pt is then then used used by ns du duri ring ng the the simulations. simulat ions. The result of the simulations simulations is an output trace file that can be used to do data processg (calculate delay, throughput th roughput etc) and to visuali7e the simulation with a program called Network Animator (NA). NA is a very good visuali7ation tool that visuali7es the packets as they th ey propagate through the network. An overview of how a simulation is done in ns is shown in figure ?.3
/i-ure 5.2: Network ,imul#tor+2
5.2 Network ,imul#tor Ar$%ite$ture
N!/3 is an ob0ect oriented simulator, written in DYY, with an #Tcl #Tcl interpreter as a front/ end. 2or efficiency reason, N! separates the data path implementation from control path implementations. n order to reduce packet and event processing time (not simulation time), the event scheduler and the basic network component ob0ects in the data path are written and compiled using DYY. These compiled ob0ects are made available to the #Tcl interpreter through an #Tcl linkage that creates a matching #Tcl ob0ect for each of the DYY ob0ects and makes the control functions and the configurable configurable variables specified by the DY Y ob0ect act as member functions and member variables of the corresponding corresponding #Tcl #Tcl ob0ect. n this way, the controls of the DYY ob0ects are given to #Tcl. t is also possible to add member functions and variables to a DYY linked #Tcl ob0ect. The ob0ects in DYY that do not need to be controlled in a simulation or internally used by another ob0ect do not need to be linked to #Tcl. #Tcl. 1ikewise, an ob0ect (not in the data path) path ) can be entirely implemented in #Tcl. 2igure ?.5 shows an ob0ect hierarchy e*ample in DYY and #Tcl. #ne thing to note in the figure is that for DYY ob0ects that have an #Tcl #Tcl linkage forming a hierarchy, hierarchy, there is a matching #Tcl ob0ect hierarchy very similar to that of DYY. The two hierarchies are closely related to each other; from the user6s perspective, there is a one/to/one correspondence ?'
between a class in the interpreted hierarchy and one in the compiled hierarchy. The root of this hierarchy is the class Tcl#b0ect
/i-ure 5.(: CFF #"d OT$ OT$l: l: T%e Du#lit
$sers create new simulator ob0ects through the interpreter; these ob0ects are instantiated within the interpreter, and are closely mirrored by a corresponding ob0ect in the compiled hierarchy. The interpreted class hierarchy is automatically established through methods defined defi ned in the class class TclDla clDlass. ss. $ser instantiat instantiated ed ob0ects ob0ects are mirrore mirrored d through through methods methods defined in the class Tcl#b0ect. There are other hierarchies in the DYY code and #Tcl scripts; these other hierarchies are not mirrored in the manner of Tcl#b0ect N!/3 uses two languages because b ecause simulator has two different kinds of things th ings to do. #n one hand, a detailed detailed simulation simulation of protocols re-uires system programming programming language which can efficiently manipulate bytes, packet header and implement algorithms that run over large data sets. 2or these tasks runtime speed is important important and turn/around turn/around time (run simulation, simulation, find bug, fi* bug, recompile. re/run) is less important. #n the other hand, a large part of network netw ork researc research h involve involvess slightly slightly varying varying paramet parameters ers or configur configurati ations, ons, or -uickly -uickly e*ploring a number of scenarios. n these cases, iteration time (change the model and re/ nm) is more important. important. !ince configuration configuration runs once (at the beginning or the simulation), simulation), run/timee of the task is less important. run/tim important. N!/3 meets both or these needs with two languages, DYY and #Tcl. 1 is fast to run but slower to change, making it suitable for detailed protocol implementation. #Tcl #Tcl runs much slower but can be changed very -uickly (and interactively), making it ideal for simulation configuration. N!/3 (via Tcl) provides glue to make ob0ects and variables appear on both languages. There are three steps for N!/3 !imulation. nitially, a script is written in #Tcl. Also an environment is created which will include creation of nodes, their movement information ?&
and traffi trafficc info informa rmation tion.. After After the creation creation of these these environm environment entss the ne*t part is the simulation. !imulation is done by the simulator. The third phase of the N!3 simulation is the Analysis part. Analysis can be done through Animation (NA) or through trace files (awk, perl,Pgraph)
/i-ure 5.4: Network ,imul#tor Ar$%ite$ture
5.( Network Compo"e"ts Compo"e"ts i" N,+2
ach component of N!3 9?: is briefly described here. i i"k "k #e #err The 11 used by mobile node has an A8 module connected to it which
resolves all to hardware (AD) address conversions. Normally for all outgoing (into the channel) packets, the packets are handed down to the 11 by the 8outing Agent. The 11 hands down packets to the interface -ueue. 2or all incoming packets (out of the channel), the AD layer hands up packets to the 11 which is then handed off at the node entry point. ARP The Address Address 8esoluti 8esolution on rotocol rotocol (implem (implemente ented d in B!+ style) style) module module receive receivess
-ueries from 1ink layer. f A8 has the hardware address for destination, it writes it intothe AD header of the packet. #therwise it broadcasts an A8 -uery, and caches the packet temporarily tempora rily.. 2or each unknown destination hardware address, there is a buffer for a single packet. ncase additional packets pack ets to the same sa me destination is sent to A8, A8, the earlier buffered
?3
packet is dropped. #nce the hardware h ardware address of a packet@s p acket@s ne*t hop is known, the packet is inserted into the interface -ueue. I"ter I"t er!#$ !#$ee ;ueue ;ueue The class riJueue is implemented as a priority -ueue which gives
priority to routing protocol packets, inserting them at the head of the -ueue. t supports running a filter over all packets in the -ueue and removes those with a specified destination address. )#$ #er The 4'3.&& distributed coordination function (+D2) ac protocol has
been implemented by D$. +D2 is similar to ADA and ADA and is designed design ed to use both physical carrier sense and virtual carrier sense mechanisms to reduce the probability of collisions due to hidden terminals. The transmission of each unicast packet is preceded by a 8e-uest/to/!endDlear/to/!end (8T!DT!) (8T!DT!) e*change that reserves the wireless channe cha nnell fo forr trans transmi missi ssion on of a data data packet packet.. ach ach correc correctl tly y re recei ceive ved d unicas unicastt packet packet is followed by an Acknowledgment (ADM) to the sender, which retransmits the packet a limited number of times until this ADM is received. Broadcast packets are sent only when virtual and physical carrier sense indicates that the medium is clear, but they are not preceded by 8T!DT! and are not acknowledged by their recipients. recipien ts. A"te""# An omni/directional antenna having unity gain is used by mobile nodes. Network Net work I"ter!# I"ter!#$es $es The Network nterface layer serves as hardware interface which is
used by mobile node to access the channel. This interface sub0ect to collisions and the radio propagation model receives packets transmitted by other node interfaces to the channel. The interface stamps each transmitted packet with the meta/data meta/data related to the transmitting transmitting interface like the transmission power, wavelength etc. This meta/data in packet header is used by the propagation model in receiving network interface to determine if the packet has minimum power to be received andor captured andor detected (carrier sense) by the receivi rec eiving ng node. node. The model model appro*im appro*imate atess the +!!! +!!! radio radio interfa interface ce (1ucent (1ucent ave1AN ve1AN direct/se-uence spread/spectrum) R#dio Prop#-#tio" )odel t uses 2riss/space attenuation (&r 3) at near distances and an
appro*imation to Two ray Lround (&r >) at far distances. The appro*imation assumes specular reflection off a flat ground plane.
?5
5.4 )o*ile Node
ach obile node makes use of routing agent for purpose of calculating routes to other nodes in the ad/hoc network. ackets are sent from the application and are received by routing agent. The agent decides a path that the packet must travel in order to reach its destination and stamps it with this information. t then sends the packet down to link layer. The link layer uses an Address 8esolution rotocol (A8) to decide the hardware addresses of neighb neighbori oring ng nodes nodes and map map ad addre dresse ssess to thei theirr corre correct ct inter interfac faces. es. hen hen this this information is known, the packet is sent down to the interface -ueue and awaits a signal from ultiple Access Dontrol (AD) protocol. hen the AD layer decides it is ok to send it onto channel, it fetches the packet from the -ueue and hands it over to the network interface which in turn sends the packet onto the radio channel.
/i-ure 5.5: A mo*ile Node
?>
This packet is copied and is delivered to all network interfaces at the time at which the first bit of the packet would begin arriving at the interface in a physical system. ach network interface stamps the packet with the receiving interfaces properties and then invokes the propagation model The propagation model uses the transmit and receive stamps to determine the power with which the interface will receive the packet. The receiving network interfa interfaces ces then use their properties to determine if they actually successfully received the packet and send it to the AD layer if appropriate. f the AD layer receives the packet error and collision free, it passes the packet to mobiles entry point. 2rom there it reaches a demultiple*er, which decides if the packet should be forwarded forwarded again, or if it has reached its destination node. f the destination node is reached, the packet is sent to a port demultiple*er demultiple*er,, which decides to what application the packet should be delivered. f the packet should be forwarded again the routing agent will be called and the same process will be repeated.
5.5 ,imul#tio" O8er8iew A typical simulation with N! is shown in figure ?.E. Basically, it consists of generating the following input files to N!% •
A scenario scenario file that describes the movement pattern of the nodes.
•
A communication communication file that describes the traffic in the network.
These files can be generated by drawing them by hand using the visuali7ation tool Ad/hockey or by generating completely randomi7ed movement and communication patterns with a script.
Ad/hockey is a erlTk program that can assist in the creation of scenario files for use by the D$ onarch e*tensions to ns and the visuali7ations of the simulation trace files. These files are then used for the simulation and as a result from this, a trace file is generated as output. rior to the simulation, the parameters that are going to be traced during the simulation must be selected. The trace file can then be scanned and analy7ed for the various parameters that are to be measured. This can be used as data for plots with for instance LN$/plot. The trace file can also be used to visuali7e simulation run with Ad/ hockey or network animator.
Normally for large topologies, the node movement and traffic connection patterns are defin def ined ed in separ separate ate fi files les fo forr conven convenie ienc nce. e. These These move moveme ment nt an and d tr traf affi ficc files files may may be generate gene rated d using using D$@s D$@s movement movement and connect connection/ ion/gene generato rators. rs. n this section section both are described separately. ?E
5.6.1 Cre#ti"- "ode mo8eme"ts
D$@s version of setdest used system dependent devrandom and made calls to library functions inistate ( ) for generating random numbers. This was replaced with a more portable random number generator (class 8NL) available in ns. The node/movement generatorr is available generato available under \nsindep/utilscm \nsindep/utilscmu/scen/gen u/scen/gensetdest setdest directory. directory. The command command line options for setdest are% .setdest 9/n numVofVnodes: 9/p pausetime: 9/s ma*speed: 9/t simtime: 9/* ma**: 9/y ma*y: S 9outdirmovement/file: /n, no. of nodes in the scenario. /p, pause time between events. /s, ma*imum speed of nodes /t, total simulation time. /*,/y +imensions of scenario in terms of P/a*is and X/a*is. 9outdirmovement/file:, name of file in which events are to be recorded. After the parameters are passed at command line a movement file is generated. The file begins with the initial position po sition of the nodes and a nd goes on to define node no de movements. ]nsV at 3.'''''' 3.'''''''''' '''''' '' =]node =]node (') setdest setdest I'.>>&& I'.>>&&FI'5 FI'55555 555555>? 55>?F F >>.4IE'I >>.4IE'I??>> ??>>'&' '&' &.5F5??EI''&'= This line from movement file defines that node (') at time 3.'s starts to move toward destination (I'.>>, >>.4I) at a speed of &.5Fms. These command lines can be used to change cha nge di direc recti tion on and speed speed of movem movemen entt of mobil mobilee nodes. nodes. The The Lene Leneral ral #pera #perati tions ons +ire +irect ctor or (L#+ (L#+)) ob ob0e 0ect ct is used used to stor storee glob global al info inform rmat atio ion n abou aboutt the the stat statee of the the environment, network, or nodes that an omniscient observer would have, but that should not be made known to any participant participant in the simulation. simulation. Durrently, Durrently, the L#+ ob0ect is used only to store an array of the shortest number of hops re-uired to reach from one node to another.. The L#+ ob0ect does not calculate this, on the fly during simulatio another simulation n runs, since it can be -uite time consuming. The information is loaded into the L#+ ob0ect from the movement pattern tile where lines of the form ]nsV at 4II.E>3 =]godV set/dist 35 >E 3=
?F
are used to load the L#+ ob0ect with the knowledge that the shortest path between node 35 and node >E changed to 3 hops at time 4II.E>3. The setdest program generates node/ movement movem ent files using the random waypoint algorithm. These files already include the lines to load the L#+ ob0ect with the appropriate information at the appropriate time. Thus at the end of the node/movement file are listed information like number of destination unreachable, total number of route and connectivity changes for mobile nodes and the same info for each mobile node.
5.6.2 Cre#ti"- r#"dom tr#!!i$ p#tter"
8andom traffic connections of TD and DB8 can be setup between mobile nodes using a traffic/scenario generator script. This traffic generator script is available under \nsindep/utilscmu/scen/gen and is called cbrgen.tcl. t can also be used to create DB8 and TD traffics connection between wireless mobile nodes. n order to create a traffic connection connecti on file, type of traffic connection(DB8 connection(DB8 or TD) need to be defined, the number of nodes and ma*imum number or connections to be setup between them, a random seed and incase of DB8 connections, connections, a rate whose inverse value is used to compute the interval time between the DB8 packets. !o the command line looks like the following% ns cbrgen.tcl 9/type cbr ^ tcp: 9/nn nodes: 9/seed seed: 9/mc connections:9/rate rate: S 9outdir file/name: /type, defines the type of traffic. #ptions arc TD or DB8. /nn, defines the number of nodes which are involved in the simulation. /seed, provides a number between ' and & for random number generator for the generation of random traffic. /mc, gives the number of connection to be created during simulation. /rate, gives the rate at which the connections are created. After passing the parameters on the command command line a traffic pattern is generated that traffic traffic will be passed to a file so that it can be used as traffic pattern during simulations.
?4
5.9 ,$e"#rios
Before the start of simulations some common environments need to be created in which the protocols are to be compared. The !cenario and the performance metrics are also to be finali7ed before simulations. The most common approach for an ad/hoc scenario is a randomi7ed movement pattern with a constantly si7ed area. #nly two/dimensional two/dimensional simulations simulations have been made, even though a three dimensional approach would be better since it would correspond better to reality (radio signals do propagate through walls and floors to some e*tent). The two dimensional scenarios are typically based on couple of input variables. variables. ause time and velocity are the two significant variables for the movement model. Nodes are initially randomly distributed distributed inside a rectangular area. hen the simulation simulation commences each node pauses at its current position for pause time seconds. The ne*t step is to pick a new arbitrary location and start moving towards it. As with the pause time the velocity with which the node will start moving is randomly chosen from an interval of ma* and min velocity. hen the node reaches its new position it will pause once again for pause time seconds and then the process will repeat itself until the end of the simulation is reached, All nodes behave in the same way. #n th this is 8ando 8andom m wayp waypoi oint nt movem movemen entt model model an analy alysis sis is done done wi with th the help help of one parameter, speed(msec) of nodes. no des. Two Two more scenarios are simulated, one with varying the th e number of nodes in the network and other by varying no. of sources in the network. n !D/ speed is varied and other parameters are constant, in !D/ no. of nodes are varied and in !D/ n. of sources are varied as described in table ?.&.
Propert
,peed &mse$'
No. o! "odes
No. o! sour$es
E"8iro"me"t
!D/
&',3',5',>',?',E'
!D/
3'
!D/
3'
&' &',3',5',>',?',E' 5'
& & &,3,5,>,?,E
T# T#*le *le 5.1: ,$e"#rio P#r#meters
ach run of the simulation simulation accepts scenario file as input that describes the e*act motion of each node and the e*act se-uence of packets originated by each node. t also describes each time at which each change in motion or packet origination origination is to occur. Number Number of scenario ?I
files is pre/generated with different parameters as e*plained in section ?.4. Both 18A#+< H 18A#+< protocols are run against both scenarios. #utput of the simulation is trace file H animator file. Trace file will be analy7ed with the help of AM programming language available in all $NP H 1N$P environments.
5.> ,imul#tio" P#r#meters
<arious default parameters like Dhannel, ropagation medium, Network nterface type, AD protocol, 1ink layer type, interface -ueue, antenna type are same for both scenarios. #ther default parameters like path of node/movement file and traffic/generation file are needed to mention accordingly in the tcl script file. The simulation parameters used to produce the simulation suite for this work are summari7ed in table ?.3 and e*plained as follows% A scenario si7e is chosen as &'''m * &''' m s-uare because s-uare area does not discriminate one direction of motion like rectangular area do. The transmitter range of 4'3.&& nodes in ns/3 is 3?'m 9?: and this is ma*imum possible distance between two mobile nodes. They cannot communicate with each other beyond this.
The source/destination pairs are spread randomly over the network. The number of source/ destination pairs and the packet sending rate in each pair is varied to change the offered E'
load in the network. Traffic sources are DB8 (continuous bit/rate). ach node starts its 0ourney from a random location to a random destination according to the speed parameter specified in the scenarios. #nce the destination is reached, another random destination is targeted target ed after specified pause. !imulations are run for &'' simulated seconds for ?' nodes. 2or fairness, identical mobility and traffic scenarios are used across protocols.
,imul#tio" tr#$e /iles :
After each simulation, trace files recording the traffic and node movements are generated. These files need to be parsed in order to e*tract the information needed to measure the performance metrics. Trace format of trace file contains following fields, as shown in figure ?.F
vent Time 2ro m
To
kt
kt
2lags 2+
!rc
+st
!e-
Addr Addr Num
e !i7e
/i-ure 5.9: Tr#$e !orm#ts o! output tr#$e !ile
kt d
n it event field can have following values% r % receive at node s % sent by node d% drop Y % en-ueue (at -ueue) /% de-ueue (at -ueue) ach trace line starts with an event (Y, /, r, s, d) descriptor followed by the simulation time (in seconds) of that event. Ne*t fields are 2rom and to node, the link on which the event occurred. acket type tells type of layer generating packet whether it is application packet (ALT), router packet (8T8), interface -ueue packet (2J) etc. acket si7e is si7e of packet at current layer. !i7e of packet increases when packet goes down and it decreases when packet goes up. 2lag can be set to _@ for priority, _@ for fo r congestion e*perienced, _A _A@@ for congestion window reduced and _2@ for fast start. The ne*t field is 2low dentity (2+) of vE that a user can set for each flow at input #TD1 script. The The ne*t two fields are source and destination address in forms of node.port.
E&
The ne*t field shows the network layer protocol@s se-uence number. N!3 keep track of $+ packet se-uence number. The last field shows the uni-ue id of the packet. "aving simulation trace data trace data at hand, all one has to do is to transform a subset of the data of interest into a comprehensible information and analy7e it.
E3
CHAPTER 6 : RE,UT, < DI,CU,,ION
6.1 P#r#meters $%ose" !or E8#lu#tio"
A nu numb mber er of of int rus ion det ect ion sc hem es for AN Ts ha have ve bee been n sugg sugges este ted d and and they they all all try try to to det ect the intru sions in the netwo rk using the dif diffe fere rent nt aspe aspect ctss of of routing protocols and of network. But how is it decided which one is the best. This depends upon structure and properties of the network. The nodes might be moving fast or slow, they might be highly concentrated into a small area or widely spread out over a large area. There There are undoubtedly undoubtedly many -uestions that a designer designer of a syst sy st em has to take into account. t is necessary to choose suitable metrics for system evaluations. The performance metrics describes the outcome of the simulation or set of simulations. These metrics are interesting because they can be used to point out what really happened during the simulation simulation and provide valuable valuable information information about the proposed system. system.
The
following metric are chosen in this work for protocol evaluation. Dete$tio" R#te
t is the rate of detecting the blackhole node in the network. t is very important metric as it signifies the success of intrusion detection system.
/#lse Positi8e Al#rm
t is the number of times, a legitimate node is detected as a malicious node.
P#$ket Deli8er R#tio
The ratio between the number of packets originated by the application layerC at DB8 source and the number of packets received by application layerC at DB8 sink at final destination. t is desirable that a routing protocol keeps this ratio high. The greater this ratio is, the reliable the ad/hoc network will be. acket +elivery 8atio O 8eceived packets !ent packets acket delivery ratio is important as it describes the loss rate that will be seen by the transport protocols, which in turn affects the ma*imum throughput that the network can support. This metric characteri7es both the completeness and correctness of the routing protocol. E5
Routi"- O8er%e#d
The total number of routing packets transmitted H received by all the nodes during the simulation known as routing overhead as energy dissipates both in sending a packet as well as receiving a packet for processing it. 2or packets sent over multiple hops, each transmission of the packet counts as one. This is interesting metric. n some way it reveals how bandwidth efficient the routing protocol is. The routing overhead metric simply shows how much of the bandwidth (which often is one of the limited factors in a wireless system) that is consumed by routing messages, i.e. the amount of bandwidth available to data packets. The routing overhead is typically much larger for proactive protocols since it periodically floods the network with updates messages. As the mobility in the network increases reactive protocols will of course have to send more routing messages too. This is where the real strengths and weaknesses of the routing protocol revealed. #ne thing more is that it is an important metric for comparing protocols, as it measures the scalability of a protocol, the degree to which it will function in congested or low/bandwidth environments.
E"d+to+E"d Del#
nd/to/nd +elay is average time a packet takes for delivery to its destination after it was transmitted. t tells how a protocol adapts or arranges for an immediate delivery of packets to its desired destination. A Average verage delay is all possible delays de lays caused by G
8oute +iscovery 1atency
G G
Jueuing at the interface -ueue 8etransmission delays at the AD
G
ropagation delay
G
Transfer time
!imulation of both protocols in scenarios stated resulted in two types of traces. #ne of them is useful for animation animation of the simulation simulation and second is used for finding out the efficiencies of the protocols and their behavior.
The trace files generated are very large in si7e; script written in AM programming E>
language is used to analy7e the trace files generated. The algorithms for the scripts are listed in Appendi* A.
6.2 ,$e"#rio I : #ri"- t%e mo*ilit o! "odes
n this scenario, the speed of nodes including blackhole node is varied from &' msec to F' msec. As the speed of node is varied its neighborhood of the nodes changes regularly. !o this scenario provides a good testing challenge for the proposed sy syst stem em.. The Th e analysis is done using using all above discussed parameters. parameters.
6.2.1 Dete$tio" R#te
/i-ure 6.1: Dete$tio" R#te i" ,C+1
2igure E.& shows that as the mobility of nodes increases, the neighborhood of the nodes changes with the same same rate, so the detection rate of proposed sy system stem falls a little, but it is still better than +8A#+< in detecting the blackhole.
6.2.2 /#lse Positi8e Al#rm
As the mobility of nodes increases, the neighborhood of nodes changes regularly. !o the false detection of malicious nodes increases with mobility of nodes in the proposed system as shown in figure E.3, but it is still better than +8A#+<. E?
/i-ure 6.2: /#lse Positi8e Al#rm i" ,C+1
6.2.( P#$ket Deli8er R#tio
/i-ure 6.( : P#$ket Deli8er R#tio i" ,C+1
2igure E. E.5 sho shows that as the mobility of nodes increases, the detection rate decreases, so the packet delivery ratio decreases a little. But it is still better than +8A#+< and attains the minimum I'` tested speed.
EE
del deliver ery y ra ratios ios at ma*imum
6.2.4 Routi"- O8er%e#d
2igure E.> shows that the routing overhead of proposed system is a little more than normal A#+< due to generation of alarm packet.
/i-ure 6.4: Routi"- O8er%e#d i" ,C+1
6.2.5 A8er#-e E"d to E"d Del#
2igure E.? shows that there is a little rise in average end to end delay in the proposed system as compared with actual A#+< system.
/i-ure 6.5: A8er#-e A8er#-e E"d to E"d Del# i" ,C+1
EF
6.( ,$e"#rio II : #ri"- t%e "etwork sie
n this scenario, scenario, the the no. of nodes nodes in the network network is varied varied from from &' to E' . The
analysi analysiss is
done using using all paramete parameters, rs, +etection +etection 8ate, 2alse ositive ositive Alarm Alarm,, acket acket delivery ratio, 8outing overhead and nd/to/nd delay.
6.(.1 Dete$tio" R#te
/i-ure 6.6: Dete$tio" R#te i" ,C+II
The +etection +etection rate of this scenario is better than previous case as shown in figure E.E. n this, all the nodes are moving with same speed through out scenarios, but the number of nodes changes from &'/E' the having fi* mobility. The detection rate is having almost constant value through the scenario, as no. of nodes will not make bad impact on detection. 6.(.2 /#lse Positi8e Al#rm
/i-ure 6.9: /#lse Positi8e Al#rm i" ,C+II
E4
The mobility mobility of nodes this scenarios is fi*ed at 3'msec. !o the mobility has not any effect on the result on this scenarios. !o detection rate and false positive alarms are not that effected effected in this scenario.
6.(.( P#$ket Deli8er R#tio
/i-ure 6.>: P#$ket Deli8er R#tio i" ,C+II
#ur system has better detection rate than previous system, so the packet delivery ratio is better in each case as shown in results in figure E.4. 6.(.4 Routi"- O8er%e#d
/i-ure 6.?:Routi"- O8er%e#d i" ,C+II
EI
2igure E.I shows that the routing routing overhead of proposed system system is a little more than normal A#+< due to generation of alarm packet.
6.(.5 A8er#-e E"d to E"d Del#
2igure E.&' shows that there is a little rise in average end to end delay in the proposed system as compared with actual A#+< system.
/i-ure 6.1: A8er#-e A8er#-e E"d to E"d del# i" ,C+II
6.4 ,$e"#rio III : #ri"- t%e tr#!!i$ lo#d
n this scenario, the no. of source nodes in the network is varied from & to E . The analysis is done using all parameters, parameters, +etection +etection 8ate, 8ate, 2alse 2alse ositive ositive Alarm, Alarm, acket acket delivery ratio, 8outing overhead and nd/to/nd delay. 6.4.1 Dete$tio" R#te
As the traffic load of a network increases, detection detection rate of proposed system falls a little but it is better than previous system as well as previous scenarios as shown in figure E.&&
6.4.2 /#lse Positi8e Al#rm
As the traffic load of network increases, the no. of connection to a specific node also increases, which further increases increases the se-uence number of that node. !o the destination will have higher value of se-uence number in this scenario. e are using average of destination se-uence F'
number as one of our factors in detection. !o system@s chances for false detection in this scenario increases which is shown in results of false detection rate for this scenario in figure E.&3.
/i-ure 6.11: Dete$tio" R#te i" ,C+III
/i-ure 6.12: /#lse positi8e Al#rm i" ,C+III
6.4.( P#$ket Deli8er R#tio
As we already discussed, our system has better detection rate than previous system, so the packet delivery ratio is better in each case as shown sh own in results in figure E.&5 E.&5..
F&
/i-ure 6.1(: P#$ket deli8er R#tio i" ,C+III
6.4.4 Routi"- O8er%e#d
2igure E.&> shows that the routing routing overhead of proposed system system is a little more than norm normal al A#+< due to generation of alarm packet.
/i-ure 6.14: Routi"- O8er%e#d i" ,C+III
6.4.5 A8er#-e E"d to E"d Del#
2igure E.&? shows that there is a little rise in average end to end delay in the proposed system as compared with actual A#+< system.
F3
/i-ure 6.15: A8er#-e A8er#-e E"d to E"d Del# i" ,C+III
e had also find out false detection rate as compared with threshold fidelity level. f the threshold level in fu77y system is kept at low values, the successful detection of malicious behavior decreases and chances of considering malicious nodes as legitimate node increases. Butt if thres Bu threshol hold d is kept kept at very very high high value, value, the legi legitim timate ate nodes nodes are also also consid considere ered d as malicious, thus again increasing the false detection rate. As shown in figure E.&E, the most suitable value of threshold is between ? /?.?.
,U))ARB Adhoc network is a very hot field for these days@ researchers as it is infrastructure less wireless network. Application areas of ANT ANT are increasing day by day from "ome networks, #ffice networks, $bi-uitous computing, Bluetooth networks and finally evolution of wearable computing. But as participating nodes are wireless and mobile due to that that network network topolo topology gy changes changes a lot, lot, it it poses poses a great chall challenge enge in in s ec u r it y of th e network. rotocols of the network should make sure that the route is established through legitimate nodes and not the malicious nodes. #ther important issues are energy efficiency H scalability as well as mobile nodes can not have continuous power source.
any protocols have been proposed in the literature mainly in three category of reactive, proactive H mi*ed. 8eactive protocols performs better as they are on/demand/driven, on/demand/driven , they ad0ust with the network topology faster than others H incurred less overhead. A#+< is a popular on demand routing protocol for mobile Adhoc networks due to its moderate overhead H route convergence performance. !o many enhancements has been proposed into A#+< to improve its security, in terms ter ms of intrusion detection systems and intrusion response systems.
This work proposes fu77y based intrusion detection system to detect blackhole attack on A#+< in ANT by using A#+< routing traffic and network traffic. The fu77y rules are applied on the collected parameters and according the results, it is decided, if the node is blackhole node or legitimate node. 8esults prove that proposed fu77y system is more successful in the detection of blackhole node than the previous +! and thus improves overall packet delivery ratio of a network.
F>
CONCU,ION The ob0ective of this work is to investigate investigate the success of proposed intrusion detection detection system against blackhole attack in A#+< for ANT. The analysis of proposed system is done in ns/3. ns/3. !ecurity is the primary pr imary issue in every network. ntruders in the network can degrade degrade the overall overall perform performanc ancee of networ network. k. very very network network and support supporting ing protoc pro tocols ols should sho uld have hav e a defini def inite te system sys tem to detect det ect the intrud int ruders ers,, so that tha t they the y can be isolated from the network. This work proposes an intrusion detection system against b l a c k h o l e a t t a c k in A#+< using fu77y logic. This system does an additional task of generating generati ng the alarm packet to isolate the intruder from network. 2ollowing 2ollowing is the list of conclusions made after the simulation.
•
a0or improvement improvement of the system is in terms terms of detection rate, which which is I` higher th than an previo previous us sy syste stem m as shown shown in the the re resul sults ts of all all three three scena scenario rioss used used fo for r simulation.
•
2alse positive alarm is at least ?` lower than previous system, which signifies how the proposed proposed system system make make effecti effective ve distinc distinction tion between between normal normal behavior behavior and legitimate behavior.
•
As the detection rate is high and our system also generates the alarm packet to isolate isol ate the blackho blackhole le node node from the network, network, the packet packet delivery delivery ratio o f s y s t e m is improved up to re-uired level.
•
8outing overhead and average end to end delay of the system is 0ust same as of original A#+<.
F?
/UTURE WORG The following points can be considered for the e*tension of this study% •
The proposed proposed system can be further further e*tended to provide provide security from more active attacks that a malicious node can perform against the routing protocol.
•
The proposed proposed system system could could
also also be e*tende e*tended d to operate operate for proactive proactive routing routing
protocols like +!+<. •
The work can be e*tended to work on TD traffic.
•
Another thing that could be considered for future work is to implement and test the proposed system in a real ad hoc network environment. environmen t.
FE
RE/ERENCE,
9&: ayal ayal N. 8a0 8a0 and rashan rashantt B. !wades !wadesh h (3''I) (3''I) +8A# +8A#+< +<%% A +ynam +ynamic ic 1earnin 1earning g !ystem against Blackhole attack in A#+< based ANT , nternational ournal of Domputer !cience, <ol. <ol. 3. 93: !ato !atoshi shi Mur Murosaw osawa, a, "ide "idehisa hisa Nakayama Nakayama,, Nei Mato Mato,, Ab Abbas bas ama amalipo lipour ur and
Xoshiaki Nemoto ( Nov. 3''F) +etec ting Blackhole Attack on A#+</ k s by +ynamic 1earning 1earning etho d based obile Ad "oc N etwo r k
,
nter na tional ournal of Networ k k !ecur ity, <ol.?, No.5, .554Z5>E, 95: . artin artin 1eo anickam anickam Anna Anna and !.!hanm !.!hanmugavel ugavel (3''F (3''F),C ),C 2u77y 2u77y based based Tru Trusted sted Ad hoc #n/demand +istance <ector 8outing rotocol for ANT ,third nternat nte rnationa ionall Donferen Donference ce on irele ireless ss and obile obile Domputi Domputing, ng, Network Networking ing and Dommunications (iob3''F) 9>: 8.A. 8a0a 8a0a ahmood, ahmood, A.. A.. Mhan Mhan (3''F) (3''F) A !urvey !urvey on +etectin +etecting g Black Black "ole "ole Attack Attack in A#+</ A#+</ based obil obilee Ad "oc "oc Networ Networks ks ,D ,Dlayton !chool of
information
Dapaci acity ty #pt #ptica icall Net Networ works ks and Technology Tec hnology,, onash $niversityAustralia "igh Dap nabling Technologies, 3''F. "#NT 3''F. nternational !ymposium on 9?: Mevin 2all
and
Mannan
<aradhan, (A ( April, 3' 3 ''?)CN!/+ocumentation,
http% www.isi. w.isi.edu eduns nsna na mns sns ns/d /do ocumen enta tati tion on.h .httml CC.. htt p%ww 9E: . !t !tamou amouli, li, . L. Argyr Argyroudi oudiss and ". Tewari Tewari,, (3''?) (3''?) 8eal/ti 8eal/time me intrus intrusion ion detection for ad hoc NetworksC, !i*th ntl !ymposium on a orld of ireless o bile an and d ultimedia Networks (oo6'?), pp.5F>/54'. pp.5F>/54'.
9F:
. "ollic "ollick, k, . !chmi !chmitt, tt, D.!eip D.!eipll and 8.!te 8.!teinm inmet7 et7,, ( 2eb 3''> ) The ad hoc on/ demand demand distan distance ce vector vector protoco protocol% l% an analytic analytical al model model of the route route ac-uisition processC, !roc3 of Second Intl 1onference on 4ired54ireless 4ired54ire less Internet 1ommunications +44I167,, 2rankfurt, pp. 3'&/3&3.
94:
. "ollick, "ollick, . . !chmit !chmitt, t, D. D. !eipl !eipl and 8.!teinmet7, 8.!teinmet7,(( une 3''>) B#n the effect of node misbehavior in ad hoc networksC, !roc3 8f IEEE Intl 1onference on 1ommunications +I1167,, aris, pp. 5F?I/5FE5.
9I: X.Whang, Whang, . 1ee, and X. "uang,(!e "uang,(!eptem ptember ber 3''5) 3''5) ntrusio ntrusion n +etectio +etection n Techni-ues Techni-u es for obile obile ireless ireless Networks, Networks,CC A1M59lu:er 4ireless Net:or;s <ournal +A1M 4INET,, <ol. I, No. ?.
FF
9&': D. erkins, erkins, Belding/8oy Belding/8oyer, er,(( uly 3''5) Ad hoc #n/demand #n/demand +istance +istance <ector <ector (A#+<)C 8e-uest 2or Domments (82D) 5?E&. 9&&:: Amit ordosh, 9&& ordosh, li7abeth li7abeth . 8oyer 8oyer,, Mevin D. Almeroth, Almeroth, !ubhash !ubhash !uri,( sept &>/ &I/3''5) Towards Towards 8ealistic obility odels for f or obile Ad/hoc networksC, network sC, obiDom@'5,. 9&3: A. "abib, . ". "afeeda, "afeeda, B. Bhargava,(3' Bhargava,(3''5) '5) +etecting +etecting !ervice !ervice <iolation <iolation and and +o! AttacksC, AttacksC, in roceedings roceedings of Network and +istributed +istributed !ystem !ecurity !ymposium (N+!!). 9&5: . apadimitrat apadimitratos, os, W. . "ass,( #ctober 3''3) !ecuring !ecuring the internet 8outing 8outing nfrastructureC Dommunications, <ol. >', No. &'. 9&>: X.D. "u, A. errig, errig, +. B. ohnson (!eptember (!eptember 3''3), Ariadne% Ariadne% A !ecure !ecure #n/ th
demand 8outing rotocol for Ad hoc NetworksC, in roceedings of the 4 AD nternational Donference on obile Domputing and Networking (obiDom@'3), pp. &3/35,. &3/3 5,. 9&?: 2. !ta0ano,(3''3) !ta0ano,(3''3) !ecurity !ecurity for $bi-uitous $bi-uitous DomputingC, DomputingC, iley. iley. 9&E: . Albers, Albers, #. Damp, Damp, . . archer, archer, B. ouga, 1. 1. e, 8. uttini uttini (3''3), =!ecurit =!ecurity y in Ad "oc Networks% a Leneral ntrusion +etection Architecture nhancing Trust Based Approaches=, The &st nternational workshop on ireless nformation !ystems= (! 3''3), in the >rth nternational Donference on nterprise nformation !ystem. 9&F: M. aul, +. est esthoff hoff (3''3), (3''3), Donte*t Aw Aware +etection +etection of !elfish Nodes in +!8 +!8 based Ad hoc NetworksC, in !emi/annual roceedings of <ehicular Technology Donference (<DT@'3). 9&4: !. Xi, Xi, . Naldurg, Naldurg, 8. Mravets,( #ctober 3''&) !ecurity/aware !ecurity/aware Ad hoc 8outing for ireless NetworksC, in roceedings of the 3
nd
AD !ymposium on obile Ad
hoc Networking and Domputing (obi"oc@'&), pp. 3II/5'3. 9&I: B. +ahill, +ahill, B. N. 1evine, . 8oyer, 8oyer, D. !hields, !hields, (August,3''&) (August,3''&) A !ecure !ecure 8outing 8outing rotocol for Ad
hoc
NetworksC, NetworksC,
Technical Technical
report,
$/D!/3''&/'5F, $/D!/3''&/'5F,
$niversity of assachusetts. 93': B. +ahill, B. N. 1evine, . . 8oyer, D. !hields, !hields, (August,3''&) (August,3''&)
A !ecure !ecure
8outing rotocol for Ad hoc NetworksC, Te Technical chnical 8eport, $/D!/3''&/'5F, $niversity of assachusetts. 93&: D. . erkins, Ad hoc Networki NetworkingC, ngC, Addison/ Addison/esl esley, ey, 3''&. F4
933: X. Whang, Whang, . . 1ee,(Augus 1ee,(August,3''') t,3''') ntrusion ntrusion +etection +etection on ireless ireless Ad hoc NetworksC, in roceedings E
th
Annual nternational nternational Donference on obile
Domputing and Networking (obiDom@''). 935: <. Marpi0oki,( Marpi0oki,( 3''') !ecurity !ecurity in Ad Ad hoc NetworksC, NetworksC,
n roceeding roceedingss of of the the
"elsinki $niversity of Technology, !eminars on Network !ecurity !ecurity,, "elsinki, 2inland. 93>: !. arti, arti, T. T. . Liuli, Liuli, M. 1ai, 1ai, . Baker,(3'' Baker,(3''') ') itigating itigating 8outing 8outing isbehaviour isbehaviour in obile Ad hoc NetworksC, NetworksC, in in roceedings roceedings of the E
th
Annual AD
international Donference on obile Domputing and Networking, pp. 3??/3E?.
Dommunication 8eview (!LD#@I&), pp. 35>/3>?,. 953: hil Marn.(!e Marn.(!eptember ptember &II') ADA% ADA% A new channel channel access access method for for packet radioC, n roceedings of the Ith Domputer Networking Donference, pages &5>Z &>'. 955: 8. "eady, L. 1uger, 1uger, A. accade, accade, . !ervilla,(A !ervilla,(August ugust &II') &II') The architecture architecture of a Network 1evel
ntrusion
+etection
!ystemC,
Te Technical chnical
report,
Domputer
science +epartment, $niversity of New e*ico. 95>: D. 1ee,(&II 1ee,(&II') ') 2u77y logic logic in control systems% systems% fu77y logic controller, art FI
and C, Trans. !yst., an H Dybern3, <ol. 3',, pp. >'>/>5?. 95?: Bing Bing u, ianmin ianmin Dhen, ie u, ihaela ihaela Dardei,C Dardei,C A !urvey !urvey of Attac Attacks ks and Dountermeasures in obile Ad "oc Networks +epartment of Domputer !cience and ngineering, 2lorida Atlantic $niversity 95E: .1undberg, 8outing !ecurity
in
Ad
hoc
NetworksC,
http tp% %c cit ites esee ee r.n .n0. 0.ne nec. c.co co m> '' ''IE IE&. &.ht ht ml. ht 95F: Neural Networks, Networks, 2u77y 1ogic 1ogic and Lenetic Lenetic Algorith Algorithms, ms, synthesis synthesis and application applicationss by !. 8a0asekaran and L.A.<i0ayalakshmi ai rentice "all of ndia ublications. ublications . 954: 2u77y 1ogic 1ogic with ngineering ngineering Applications Applications by Timo Timothy thy .8oss cgraw cgraw "ill, "ill, nc. 95I: 95I: Andre Andrew w !. Tanenbau nenbaum, m, Dompu Domputer ter Netw Network orksC. sC. r rent entic icee "all "all of ndia ndia,, Third Third dition.
&. !can the traffic of immediate immediate neighbors. 3. f o r w a r d e d O'; recei receiveO veO'; '; (for (for neighb neighbor or 0) 5. do while packet transmission >.
i f ( n o d e 0 i s n e i th t h e r s o u rc r c e o r d e st s t i na n a t io i o n H H p a ck ck e t i s
DB8) ?. if(action if(action is _s@) then a. fo rw ar de d O forwardedY& forwardedY& b. elseif(action is _r@) _r @) then
receiveOreceiveY&
E. end if F. ne*t record 4. end while I. f o r w a r d packet packet ratioO ratioO forwar forwarded dedrec receive eive &'. end
&. !can !can the traffi trafficc of imme immediat diatee neighbo neighbors. rs. 3. fVse-rat fVse-ratio io (ave ra ge se-u se -u ence en ce nu mbe r) O'; fVcount fVcount O /&; (for neighbo neighborr 00)) 5. do while packet transmission >. i f ( n o d e 0 i s n e i th t h e r s o u rc r c e o r d e st s t i na n a t io i o n H H p a ck ck e t i s 88) ?. if(fVcount is /&) then a. fVse-ratio fVse-ratio O' ;
fVlse-noO se-no (current se-uence number)
b. else fVse-ratio O (((fVcount) (fVse-ratio)) Y (se-no / fVlse-no)) YY(fVcount); fVlse-no O se-no; E. end if F. ne*t record 4. end while I. end
43
Al-orit%m !or P#$ket Deli8er R#tio
&. !can the trace record by record 3. receive O'; sentO'; 5. do while no record left >. get the record into variable ?. if(action is _s@) then a. sent OsentY& b. elseif(action is _r@) _r @) then i. receiveOreceiveY& c. else i. E. end if F. ne*t record 4. end while I. packetVdeliveryVratioO packetVdeliver yVratioO receivesent &'. print packetVdeliveryVratio &&. end
45
'
Al-orit%m !or Routi"- O8er%e#d
&. !can the trace record by record 3. 8outerO' 5. do while no record left >. get the record into variable ?. split the record into an array of elements _a _ separated by spaces E. tr trac aceV eVle leve velO lO a9>: a9>: F. if traceVlevelO@8T8@ a. routerOrouterY& 4. endif I. ne*t record &'. end while &&. overheadO routersimulationVtimeVinVsec &3. print overhead &5. end
4>
Al-orit%m !or E"d+to+E"d Del#s
&. "ighestpacketVidO';totalVrecO'; 3. +o while no record left 5. (8ecords here are only traces of the agent and not the router) >. !plit the record into an array of elements =a6 separated by spaces. ?. *trac *tractt various various paramet parameters ers such as action, action, time, time, se-Vno, se-Vno, packetVi packetVid, d, nodeVi, nodeVi, source, destination, flow id from the record. (8efer Appendi* B for reading trace). E. f (packetVid S highestpacketVid) then a. highestpacketVidO packetVid F. endif 4. aintain two arrays, one for start time and other for end time for every packetVid initiali7ed to '. I. f (if action is _s@) then startVtime 9packetVid: O time &'. endif &&. if(action is _r6)then endVtime 9packctVid: Otime endif &3. ne*t record &5. end while &>. for(packetVid in start9packetVid:)
f (end9packetVid: is not ') TotalVrecOtotalVrec Y & delayO end(packetVid:/ start9packctVid)
end if &?. end for &E. print AvgVdelayOdelaytotal &F stop
4?
APPENDI N,+2 Wireless /orm#ts This information comes from the ns anual 9&3: =obile Networking in ns% Trace !upport= chapter, and the =tracecmu/trace.cc= file. ireless traces begin with one of four character characterss followe followed d by one of two different different trace formats, depending depending on whether the trace logs the P and X coordinates of the mobile node.
!ome older versions of N!3 (such as 3.&b?) have five he*adecimal values between the the ss-ua uare re br brac aces es.. The The fi firs rstt he he*a *ade deci cima mall va valu luee is the the AD AD fr fram amee co cont ntro roll information, and the remaining he*adecimal values are the same as listed above. +epending on the packet type, the trace may log additional information%