Performance Evaluation Of Co-Operative Game Theory Approach For Intrusion Detection In MANET

Document Sample
Performance Evaluation Of Co-Operative Game Theory Approach For Intrusion Detection In MANET Powered By Docstoc
					                                                              (IJCSIS) International Journal of Computer Science and Information Security,
                                                                                                                        Vol. 9, No. 2, 2011


            S.Thirumal M.C.A., M.Phil.,                                             Dr.V.Saravanan M.C.A.,M.Phil., Ph.D.,
                 Assistant professor,                                                      Professor and Director,
         Department of computer science,                                             department of computer applications
       Arignar anna government arts college,                                           Dr.N.G.P institute of technology,
    cheyyar, tiruvannamalai district -604 407 1st                                Dr.N.G.P-Kallapatti road,coimbatore-641 048.

Abstract—Mobile Adhoc Network (MANET) is a collection of                   needed to detect any possible intrusions that occur in the
independent mobile nodes that can communicate to each other                network and generate an appropriate action.
via radio waves. The mobile nodes that are in range of each other
can directly communicate, whereas others need the aid of
intermediate nodes to route their packets. These networks are
fully distributed a and can work at any place without the help of
any infrastructure. This property makes these networks highly
exible and robust. Intrusion Detection System (IDS) is an integral
part of any Mobile Ad-hoc Network (MANET). It is very
important for IDS to function properly for the efficient
functioning of a MANET. In this paper I evaluate the Co-
Operative game theory approach for intrusion detection in
MANET by comparing it with the existing other approaches. My
evaluation is concentrated both on Intrusion in Application layer
and network layer. Network simulator NS-2.34 is used for the
simulation of the intrusions in grid network.

                       I.   INTRODUCTION
    A mobile ad hoc network is defined as a collection of                     Fig 1.1 Grid Architecture Model.
mobile platforms or nodes where each node is free to move                      In this paper, the performance of the Cooperative Game
about arbitrarily. Each node logically consists of a router that           Theory that uses Shapley value algorithm to analyze the
may have multiple hosts and that also may have multiple                    contribution of each node in detecting the intrusion is evaluated
wireless communication devices. The vision of mobile ad hoc                and compared with Anomaly detection approach. This ID will
networking is to support robust and efficient operation in                 constantly monitor the network and report the unusual behavior
mobile wireless networks by incorporating routing                          of the network back to the head nodes. It will detect the
functionality into mobile nodes. Such networks are envisioned              unusual behavior at the application layer and at the network
to have dynamic, sometimes rapidly-changing, random, multi                 layer an aggregate function that computes the severity of the
hop topologies which are likely composed of relatively                     attack based on the values reported by the nodes is introduced.
bandwidth-constrained wireless links. A MANET may be                       The appropriate measure is taken based on the value of the
susceptible to varying degrees of intrusion that include passive           aggregation function.
eavesdropping, broadcasting of false routing information,
disrupting traffic flow, etc. The nodes in the network have to                Many papers have been submitted earlier on detecting and
cooperate in analyzing the intrusion in MANET. Thus a co                   analyzing intrusions in MANET. Also some have proposed
operative Intrusion Detection System as shown in Figure 1.1 is             game theoretic approach for monitoring intrusions. A few of

                                                                                                      ISSN 1947-5500
                                                              (IJCSIS) International Journal of Computer Science and Information Security,
                                                                                                                        Vol. 9, No. 2, 2011
them are mentioned below, A Cooperative Approach for                       presented using estimated congestion at intermediate nodes to
Analyzing Intrusions in Mobile Ad hoc Networks by Otrok,                   decide if the intermediate node is not forwarding packets at the
H. Debbabi, M. Assi, C. Bhattacharya, P.Concordia Univ.,                   desired rate because of congestion or because of malicious
Montreal consider the problem of reducing the number of false              behavior. It is unclear how statistical anomaly detection will
positives generated by cooperative intrusion detection systems             succeed in the wireless domain, since it is a challenging one
(IDSs) in mobile ad hoc networks (MANETs). They define a                   because of dynamic decentralization and a lack of
flexible scheme using security classes, where an IDS is able to            concentration points where aggregated traffic can be analyzed.
operate in different modes at each security class. This scheme             Selfish nodes: The cooperative enforcement mechanism based
helps in minimizing false alarms and informing the prevention              on a monitoring system, where the goal of this model is to
system accurately about the severity of an intrusion. Shapley              detect selfish nodes and enforce them to cooperate. Each node
value is used to formally express the cooperation among all the            keeps track of other nodes’ cooperation using reputation as the
nodes. A Game Theoretic Formulation for Intrusion Detection                cooperation metric. The System ensures that misbehaving
in Mobile Ad Hoc Networks by Animesh Patcha and Jung-Min                   nodes are punished by gradually stopping communication
presents a game-theoretic model to analyze intrusion detection             services and provides incentives for nodes, in the form of
in mobile ad hoc networks. We use game theory to model the                 reputation, to cooperate. It is calculated by information
interactions between the nodes of an ad hoc network. We view               provided by other nodes involved in each operation then also
the interac- tion between an attacker and an individual node as            we can’t stop the attack nodes, it is also less stable. Anomaly
a two player non-cooperative game, and construct models for                detection: If an anomaly is detected with weak evidence,
such a game. A Moderate to Robust Game Theoretical Model                   because it uses a single layer of cluster heads. So a global
for Intrusion Detection in MANETs by Hadi Otrok, formalized                detection process is initiated for further investigation about the
a nonzero-sum noncooperative game theoretical model that                   intrusion through a secure channel. The limitations and
takes into consideration the tradeoff between security and IDS             drawbacks of this model are performance penalties and false
resource consumption. The game solution will guide the leader-             alarm rates. Defending node: In a game theoretic framework,
IDS to find the right moment for notifying the victim node to              for defending nodes we use three schemes in a sensor network.
launch its IDS once the security risk is high enough.                      In the first scheme the authors formulate attack-defense
                                                                           problem as a two-player, nonzero-sum, non cooperative game
    To achieve this goal, the Bayesian game theory is used to
                                                                           between an attacker and a sensor network. It is shown that this
analyze the interaction between the leader-IDS and intruder
                                                                           game achieves Nash equilibrium and thus leading to a defense
with incomplete information about the intruder. By solving
                                                                           strategy for the network. In the second scheme they use
such a game, we are able to find the threshold value for
                                                                           Markov decision process to predict the most vulnerable sensor
notifying the victim node to launch its IDS once the probability
                                                                           node. In the third scheme they use an intuitive metric (node's
of attack exceeds that value. Simulation results show that our
                                                                           traffic) and protect the node with the highest value of this
scheme can effectively reduce the IDS resource consumption
without sacrificing security. Agah et al [4] suggested a game
theoretic framework for defending nodes in a sensor network.
Three schemes of defense are designed. In the first scheme the              II.   DESIGN AND WORKING OF THE GAME THEORY BASED
authors formulate attack-defense problem as a two-player,                                         IDS :
nonzero-sum, noncooperative game between an attacker and a
sensor network. It is shown that this game achieves Nash                   A.    The Grid Architecture
equilibrium and thus leading to a defense strategy for the                     Heterogeneity of the mobile devices can be integrated to
network. In the second scheme they use Markov decision                     form an infrastructure known as grid. A grid by definition is a
process to predict the most vulnerable sensor node.                        system that coordinates resources that are not subject to
                                                                           centralized control. Grid consists of three categories of nodes;
     In the third scheme they use an intuitive metric (node's
                                                                           Consumer node CN- Node which requests for a service,
traffic) and protect the node with the highest value of this
                                                                           Service Provider node SPN- Node which processes the service
metric. All the above work focuses on IDS in a mobile ad hoc
                                                                           requested by the CN, Grid Head node GHN- Node which
network at network layer, where the cooperative game theory
                                                                           coordinates all the nodes in its grid. This GHN is responsible
approach goes one step further and tries to provide IDS system
                                                                           for the allotment of an appropriate service provider node to a
using cross layer approach. In my work both application layer
                                                                           node requesting for particular service based on parameters such
and network layer information are considered to provide IDS.
                                                                           as cost, service time, etc. VetriSelvi et al [5] have suggested a
At the application layer a grid architecture proposed by
                                                                           Grid architecture that efficiently makes use of heterogeneous
Vetriselvi et al [5] is considered, where the game theoretic
                                                                           resources in an ad hoc network. A trace based mobility model
approach to provide security to this architecture is included.
                                                                           is used to handle the movement of the nodes. Trace Based
     Existing system:                                                      Mobility Model (TBMM) captures the regularity in movement
                                                                           as a movement pattern. The nodes that are going to
    Mobile Ad hoc Networks are wireless networks that lack                 communicate exchange this trace information that provides the
infrastructure. It is vulnerable to attacks. Intrusion attacks are         position of the destination and its associated stability time.
of particular interest and concern to the nodes, because they              With the help of the trace information as well as the resource
seek to render target systems inoperable. Many schemes are                 information appropriate service is provided to consumer nodes.
evolved to detect the attack but we can’t prevent the nodes
from attack properly. Packet drooping: This approach is

                                                                                                       ISSN 1947-5500
                                                                (IJCSIS) International Journal of Computer Science and Information Security,
                                                                                                                          Vol. 9, No. 2, 2011
   Grid Formation and GHN Election                                           secondary head. Every time a service is being allotted to a SPN
                                                                             to a GHN, the SPN immediately sends ‘busy’ message to the
    Any SPN has the privilege to contest for the grid head. A
                                                                             secondary head. Similarly after the successful completion of
SPN starts sending ‘Hello’ messages to all the nodes within its
                                                                             service, the CN sends a ‘complete’ message to the secondary
hop limit. A hop limit is specified so as to keep a check on the
                                                                             head. Thus the secondary head maintains the list of SPNs
number of nodes in a particular grid and also the density of data
                                                                             which are busy. When the secondary head receives the ‘Bad
traffic which will result due to this broadcasting of messages.
                                                                             Head’ message from a CN, it checks if the SPNs are actually
The ‘Hello’ message contains the stability time of its sender
                                                                             busy. If not, it generates a ‘Ban’ message and broadcasts to all
and hop count. On receiving a ‘Hello’ message, any SPN
                                                                             the nodes. On receiving this message, all the nodes discard that
which currently does not have a head checks if the sender’s
                                                                             node and no longer have it as their GHN and add that node’s
stability is greater than its own stability. If it is the case it
                                                                             address to a list of banned nodes that they maintain after which
simply stops broadcasting its own ‘Hello’ messages and starts
                                                                             a reelection takes place for contention to become the new grid
broadcasting the newly received message to all the nodes in its
hop limit range after storing the stability of the sender as the
‘GHN stability’. If not, it simply discards the message and                       2) Misbehaving SPN: After being allotted a specific SPN
continues to broadcast its own ‘Hello’ message. After finding                for its service, a CN sends a ‘service me’ message to the SPN.
the GHN, it sends ‘Grid join’ message to GHN. If a SPN node                  A malicious SPN on receiving this message does only half the
is currently functioning under a grid head and receives a                    service required and reports completion of the service to both
‘Hello’ message, it checks to see if the sender’s stability is               the GHN and the CN. On discovering that the service was not
higher than its head’s stability and if true, it starts broadcasting         fully completed, the SPN generates a report to the GHN stating
the newly received ‘Hello’ message after storing the stability as            the essential parameters like the SPN’s id, job id, etc. The GHN
‘GHN stability’. Any CN on receiving a ‘Hello’ message                       increments its report count for the particular SPN node and
simply forwards it. All the nodes store the first two highest                waits till the count reaches a particular predefined limit after
stability times that they have received through ‘Hello’                      which it checks the coalitions against the reported node. If it
messages. The node with the second highest stability is                      happens to be a winning coalition the GHN adds the SPN to the
appointed as the’ Secondary head’ of the grid. Any node which                list of banned nodes and broadcasts the message on to all other
gets elected as the GHN should periodically send ‘Hello’                     nodes in the network.
messages to all the other nodes and if it fails to do so, it is not
considered to be alive by the other nodes and a reelection takes                Intrusions in Network Layer
place.                                                                           In the network layer, two highly probable intrusions –
   Service Processing                                                        flooding and flow disruption caused by malicious nodes are
                                                                             proposed. Both of these intrusions are detected by the other
    Any SPN joining a grid submits resource parameters,                      nodes and a coalition is formed to report the intruder.
stability, position, type of service, service cost, etc to the GHN.
A CN while requesting for a service states the type of service                   1) Flooding attack: A malicious node starts sending
required and cost. The GHN maintains a Grid Maintenance                      innumerable route request/route discovery message to all the
Table (GMT), where in it stores the status of all the SPNs                   other nodes exhaustively. This affects the network bandwidth
under it- their service parameters and their availability. On                adversely and paralyses the network. This is resolved by using
finding a suitable SPN for the service, it refers the SPN id to              parameters like no. of control packets expected and received.
the requesting CN and assigns a job id to this service. The CN               For a certain time interval, the total no: of control packets
then sends a ‘Service me’ message to the allotted SPN which in               received is counted and checked with the threshold limit. If it is
turn completes the service and sends a ‘Done’ message to the                 exceeded then GHN is notified of the possibility of the attack.
CN and a ‘Comp’ message to the GHN indicating the                            Grid Head then forms the coalition, calculates the attack value,
completion of its assigned task. The CN sends an ‘ACK’                       checks whether it is a winning coalition and finds an intrusion.
message to the GHN, acknowledging that it got the service                        2) Flow disruption attack: A malicious node targets a route
completed by the SPN. The GHN now updates the SPN’s                          between a particular source and destination node and starts
status in the GMT. However, if an appropriate SPN is                         sending junk route discovery messages to all the nodes in that
unavailable at a particular instant for a CN, it sends a service             particular route. Certain nodes are randomly identified as the
denial message prompting the CN to try later for the service                 target nodes by the attacker nodes. These attacker nodes are a
request.                                                                     few among the nodes which route data packets from and to the
   Intrusions in Application Layer                                           target nodes. When the ACK messages for the target nodes
                                                                             reach the attackers, they drop the packets instead of forwarding
    In the paper, two probable intrusions in the application                 them. This causes the route between the particular source and
layer - grid head which itself is found to be malicious and                  destination to be broken thereby disrupting the flow between a
misbehaving service provider nodes are considered.                           pair of targeted nodes. After a stipulated waiting time, the
                                                                             target nodes report to its grid head. On receiving the report, the
    1) Malicious GHN: A GHN sends a service busy / service
                                                                             grid head carries out the similar processing of checking for
denial message when to a requesting CN if it does not find a
                                                                             coalitions and spotting a winning coalition.
suitable SPN. The CN keeps track of the count of the BUSY
messages sent by the GHN. Once it exceeds a predefined
threshold limit, the CN reports a ‘Bad Head’ message to the

                                                                                                         ISSN 1947-5500
                                                             (IJCSIS) International Journal of Computer Science and Information Security,
                                                                                                                       Vol. 9, No. 2, 2011

                                                                             Fig 4.1 Detection Efficiency vs No.of.reporters
                                                                              The above graph shows performance evaluation of our
                                                                          proposed scheme compare to existing system. Where the no of
                                                                          reporters increases the detection efficiency also increases

    Fig 3.1 Block Diagram of Intrusion Detection
     Simulation studies are carried out to evaluate the
performance of IDS in grid architecture. For simulation the
network simulator NS-2.34 is used.
    NS or the network simulator (also popularly called ns-2, in
reference to its current generation) is a discrete event network
simulator’s is popularly used in the simulation
of routing and multicast protocols, among others, and is heavily
                                                                             Fig 4.2 Intrusion Detected vs Service Time
used in ad-hoc networking research. ns supports an array of
popular network protocols, offering simulation results for wired              The graph shows the variation in the number of intrusions
and wireless networks alike. It can be also used as limited-              detected to the increase in service time.
functionality network simulator. It is popular in academia for
its extensibility (due to its open source model) and plentiful
online documentation. However, modeling is a very complex
task in ns-2, given the need to learn scripting, modeling etc. NS
was built in C++ and provides a simulation interface
through OTcl,an object –oriented dialect of Tcl. The user
describes a network topology by writing OTcl scripts, and then
the main NS program simulates that topology with specified
   Table 4.1 Parameters for the simulation of IDS
   Number of Nodes                   50
                                                                              Fig 4.3 Detection Rate of ID in malicious SPN attack
   Simulation Time                   500 Seconds
   Terrain Dimension                 (1000,1000) meters
   Mobility                          Random Way Point model
   Mac-Protocol                      802.11
   Routing Protocols                 AODV
    The performance is analyzed by increasing the number of
reporters, increasing the service time, increasing the number of
nodes reporters, increasing the service time, increasing the
number of nodes in Grid Cluster and also the number of
                                                                             Fig 4.4 Detection Rate of ID in flow disruption attack.

                                                                                                     ISSN 1947-5500
                                                            (IJCSIS) International Journal of Computer Science and Information Security,
                                                                                                                      Vol. 9, No. 2, 2011
                                                                         workshop,2007. ICDCSW’ 07 27 International Conference on
    The above 4.3 graph shows our proposed scheme detect                 22-29 June 2007. Issue Date: 22-29 June 2007
0.98 efficiency rate in malicious SPN attack. The 4.4 graph              [2] A Game Theoretic Formulation for Intrusion Detection in
shows our proposed scheme detect 0.91 efficiency rate in flow            Mobile Ad Hoc Networks by Animesh Patcha and Jung-Min
disruption attack.                                                       Park published in International Journal of Network Security,
                                                                         Vol.2, No.2, PP.131–137, Mar. 2006.
                                                                         [3] A Moderate to Robust Game Theoretical Model for
                    IV.    CONCLUSION:
                                                                         Intrusion Detection in MANETs by Hadi Otrok, Noman
     I have tested the performance of our system in both                 Mohammed, Lingyu Wang, Mourad Debbabi and Prabir
network layer and application layer with underlying grid                 Bhattacharya published in IEEE International Conference on
architecture and in both cases the results have been positive. I         Wireless     &    Mobile     Computing,     Networking     &
have analyzed the simulation results and inferred that when              Communication
there is more number of nodes participating to form coalitions,          [4] Agah. A, Das. S and Basu. K, “Intrusion Detection in
there are better chances of obtaining a good winning coalition
                                                                         Sensor Networks: A Non-cooperative Game Approach”, Proc.
thereby enhancing the efficiency of detecting intrusions. Also
                                                                         3rd IEEE International Symposium on Network Computing
when there the number of nodes in a grid is larger, the
detection time is lesser. I have also deduced that when the              and Applications, IEEE press, 2004.
service time is lesser, there are more intrusions detected. Also         [5] VetriSelvi V, Shakir Sharfraz and Ranjani Parthasarathi
Intrusion detection systems remain efficient in detecting all            (2007), “Mobile Ad Hoc Grid using Trace Based Mobility
attacks with varying number of attackers. These detections are           Model”, Proceedings of the International Conference on Grid
done by using the shapely value concept of game theory. The              an Pervasive Computing (GPC2007), Publisher:pringer-
nodes of a winning coalition are enabled to get an equal share           Verlag, LNCS 4459, France, May 2007, pp. 274-285.
of the total gain and hence increase their reputation. Our               [6] Xia Wang “Intrusion Detection Techniques in Wireless Ad
proposed system is more efficient in detection.                          HocNetworks”, IEEE 2006 - Proceedings of the 30th Annual
                                                                         International Computer Software and Applications Conference
                          REFERENCES                                     (COMPSAC'2006).
                                                                         [7] Seema Bandyopadhyay and Subhajyoti Bandyopadhyay “A
[1] A Cooperative Approach for Analyzing Intrusions in                   Game Theoretic Analysis on the conditions of cooperation in a
Mobile      Ad      hoc       Networks     by    Otrok,                  Wireless Ad hoc Network”, University of Florida, FL, USA,
H. Debbabi,M. Assi,C.Bhattacharya,P. Concordia   Univ.,                  2006.
Montreal    appeared    Distributed   computing system

                                                                                                   ISSN 1947-5500

Description: The International Journal of Computer Science and Information Security (IJCSIS Vol. 9 No. 2) is a reputable venue for publishing novel ideas, state-of-the-art research results and fundamental advances in all aspects of computer science and information & communication security. IJCSIS is a peer reviewed international journal with a key objective to provide the academic and industrial community a medium for presenting original research and applications related to Computer Science and Information Security. . The core vision of IJCSIS is to disseminate new knowledge and technology for the benefit of everyone ranging from the academic and professional research communities to industry practitioners in a range of topics in computer science & engineering in general and information & communication security, mobile & wireless networking, and wireless communication systems. It also provides a venue for high-calibre researchers, PhD students and professionals to submit on-going research and developments in these areas. . IJCSIS invites authors to submit their original and unpublished work that communicates current research on information assurance and security regarding both the theoretical and methodological aspects, as well as various applications in solving real world information security problems.