Performance Evaluation Of Co-Operative Game Theory Approach For Intrusion Detection In MANET
The International Journal of Computer Science and Information Security (IJCSIS Vol. 9 No. 2) is a reputable venue for publishing novel ideas, state-of-the-art research results and fundamental advances in all aspects of computer science and information & communication security. IJCSIS is a peer reviewed international journal with a key objective to provide the academic and industrial community a medium for presenting original research and applications related to Computer Science and Information Security. . The core vision of IJCSIS is to disseminate new knowledge and technology for the benefit of everyone ranging from the academic and professional research communities to industry practitioners in a range of topics in computer science & engineering in general and information & communication security, mobile & wireless networking, and wireless communication systems. It also provides a venue for high-calibre researchers, PhD students and professionals to submit on-going research and developments in these areas. . IJCSIS invites authors to submit their original and unpublished work that communicates current research on information assurance and security regarding both the theoretical and methodological aspects, as well as various applications in solving real world information security problems.
(IJCSIS) International Journal of Computer Science and Information Security, Vol. 9, No. 2, 2011 PERFORMANCE EVALUATION OF CO-OPERATIVE GAME THEORY APPROACH FOR INTRUSION DETECTION IN MANET S.Thirumal M.C.A., M.Phil., Dr.V.Saravanan M.C.A.,M.Phil., Ph.D., Assistant professor, Professor and Director, Department of computer science, department of computer applications Arignar anna government arts college, Dr.N.G.P institute of technology, cheyyar, tiruvannamalai district -604 407 1st Dr.N.G.P-Kallapatti road,coimbatore-641 048. firstname.lastname@example.org Abstract—Mobile Adhoc Network (MANET) is a collection of needed to detect any possible intrusions that occur in the independent mobile nodes that can communicate to each other network and generate an appropriate action. via radio waves. The mobile nodes that are in range of each other can directly communicate, whereas others need the aid of intermediate nodes to route their packets. These networks are fully distributed a and can work at any place without the help of any infrastructure. This property makes these networks highly exible and robust. Intrusion Detection System (IDS) is an integral part of any Mobile Ad-hoc Network (MANET). It is very important for IDS to function properly for the efficient functioning of a MANET. In this paper I evaluate the Co- Operative game theory approach for intrusion detection in MANET by comparing it with the existing other approaches. My evaluation is concentrated both on Intrusion in Application layer and network layer. Network simulator NS-2.34 is used for the simulation of the intrusions in grid network. I. INTRODUCTION A mobile ad hoc network is defined as a collection of Fig 1.1 Grid Architecture Model. mobile platforms or nodes where each node is free to move In this paper, the performance of the Cooperative Game about arbitrarily. Each node logically consists of a router that Theory that uses Shapley value algorithm to analyze the may have multiple hosts and that also may have multiple contribution of each node in detecting the intrusion is evaluated wireless communication devices. The vision of mobile ad hoc and compared with Anomaly detection approach. This ID will networking is to support robust and efficient operation in constantly monitor the network and report the unusual behavior mobile wireless networks by incorporating routing of the network back to the head nodes. It will detect the functionality into mobile nodes. Such networks are envisioned unusual behavior at the application layer and at the network to have dynamic, sometimes rapidly-changing, random, multi layer an aggregate function that computes the severity of the hop topologies which are likely composed of relatively attack based on the values reported by the nodes is introduced. bandwidth-constrained wireless links. A MANET may be The appropriate measure is taken based on the value of the susceptible to varying degrees of intrusion that include passive aggregation function. eavesdropping, broadcasting of false routing information, disrupting traffic flow, etc. The nodes in the network have to Many papers have been submitted earlier on detecting and cooperate in analyzing the intrusion in MANET. Thus a co analyzing intrusions in MANET. Also some have proposed operative Intrusion Detection System as shown in Figure 1.1 is game theoretic approach for monitoring intrusions. A few of 216 http://sites.google.com/site/ijcsis/ ISSN 1947-5500 (IJCSIS) International Journal of Computer Science and Information Security, Vol. 9, No. 2, 2011 them are mentioned below, A Cooperative Approach for presented using estimated congestion at intermediate nodes to Analyzing Intrusions in Mobile Ad hoc Networks by Otrok, decide if the intermediate node is not forwarding packets at the H. Debbabi, M. Assi, C. Bhattacharya, P.Concordia Univ., desired rate because of congestion or because of malicious Montreal consider the problem of reducing the number of false behavior. It is unclear how statistical anomaly detection will positives generated by cooperative intrusion detection systems succeed in the wireless domain, since it is a challenging one (IDSs) in mobile ad hoc networks (MANETs). They define a because of dynamic decentralization and a lack of flexible scheme using security classes, where an IDS is able to concentration points where aggregated traffic can be analyzed. operate in different modes at each security class. This scheme Selfish nodes: The cooperative enforcement mechanism based helps in minimizing false alarms and informing the prevention on a monitoring system, where the goal of this model is to system accurately about the severity of an intrusion. Shapley detect selfish nodes and enforce them to cooperate. Each node value is used to formally express the cooperation among all the keeps track of other nodes’ cooperation using reputation as the nodes. A Game Theoretic Formulation for Intrusion Detection cooperation metric. The System ensures that misbehaving in Mobile Ad Hoc Networks by Animesh Patcha and Jung-Min nodes are punished by gradually stopping communication presents a game-theoretic model to analyze intrusion detection services and provides incentives for nodes, in the form of in mobile ad hoc networks. We use game theory to model the reputation, to cooperate. It is calculated by information interactions between the nodes of an ad hoc network. We view provided by other nodes involved in each operation then also the interac- tion between an attacker and an individual node as we can’t stop the attack nodes, it is also less stable. Anomaly a two player non-cooperative game, and construct models for detection: If an anomaly is detected with weak evidence, such a game. A Moderate to Robust Game Theoretical Model because it uses a single layer of cluster heads. So a global for Intrusion Detection in MANETs by Hadi Otrok, formalized detection process is initiated for further investigation about the a nonzero-sum noncooperative game theoretical model that intrusion through a secure channel. The limitations and takes into consideration the tradeoff between security and IDS drawbacks of this model are performance penalties and false resource consumption. The game solution will guide the leader- alarm rates. Defending node: In a game theoretic framework, IDS to find the right moment for notifying the victim node to for defending nodes we use three schemes in a sensor network. launch its IDS once the security risk is high enough. In the first scheme the authors formulate attack-defense problem as a two-player, nonzero-sum, non cooperative game To achieve this goal, the Bayesian game theory is used to between an attacker and a sensor network. It is shown that this analyze the interaction between the leader-IDS and intruder game achieves Nash equilibrium and thus leading to a defense with incomplete information about the intruder. By solving strategy for the network. In the second scheme they use such a game, we are able to find the threshold value for Markov decision process to predict the most vulnerable sensor notifying the victim node to launch its IDS once the probability node. In the third scheme they use an intuitive metric (node's of attack exceeds that value. Simulation results show that our traffic) and protect the node with the highest value of this scheme can effectively reduce the IDS resource consumption metric. without sacrificing security. Agah et al  suggested a game theoretic framework for defending nodes in a sensor network. Three schemes of defense are designed. In the first scheme the II. DESIGN AND WORKING OF THE GAME THEORY BASED authors formulate attack-defense problem as a two-player, IDS : nonzero-sum, noncooperative game between an attacker and a sensor network. It is shown that this game achieves Nash A. The Grid Architecture equilibrium and thus leading to a defense strategy for the Heterogeneity of the mobile devices can be integrated to network. In the second scheme they use Markov decision form an infrastructure known as grid. A grid by definition is a process to predict the most vulnerable sensor node. system that coordinates resources that are not subject to centralized control. Grid consists of three categories of nodes; In the third scheme they use an intuitive metric (node's Consumer node CN- Node which requests for a service, traffic) and protect the node with the highest value of this Service Provider node SPN- Node which processes the service metric. All the above work focuses on IDS in a mobile ad hoc requested by the CN, Grid Head node GHN- Node which network at network layer, where the cooperative game theory coordinates all the nodes in its grid. This GHN is responsible approach goes one step further and tries to provide IDS system for the allotment of an appropriate service provider node to a using cross layer approach. In my work both application layer node requesting for particular service based on parameters such and network layer information are considered to provide IDS. as cost, service time, etc. VetriSelvi et al  have suggested a At the application layer a grid architecture proposed by Grid architecture that efficiently makes use of heterogeneous Vetriselvi et al  is considered, where the game theoretic resources in an ad hoc network. A trace based mobility model approach to provide security to this architecture is included. is used to handle the movement of the nodes. Trace Based Existing system: Mobility Model (TBMM) captures the regularity in movement as a movement pattern. The nodes that are going to Mobile Ad hoc Networks are wireless networks that lack communicate exchange this trace information that provides the infrastructure. It is vulnerable to attacks. Intrusion attacks are position of the destination and its associated stability time. of particular interest and concern to the nodes, because they With the help of the trace information as well as the resource seek to render target systems inoperable. Many schemes are information appropriate service is provided to consumer nodes. evolved to detect the attack but we can’t prevent the nodes from attack properly. Packet drooping: This approach is 217 http://sites.google.com/site/ijcsis/ ISSN 1947-5500 (IJCSIS) International Journal of Computer Science and Information Security, Vol. 9, No. 2, 2011 Grid Formation and GHN Election secondary head. Every time a service is being allotted to a SPN to a GHN, the SPN immediately sends ‘busy’ message to the Any SPN has the privilege to contest for the grid head. A secondary head. Similarly after the successful completion of SPN starts sending ‘Hello’ messages to all the nodes within its service, the CN sends a ‘complete’ message to the secondary hop limit. A hop limit is specified so as to keep a check on the head. Thus the secondary head maintains the list of SPNs number of nodes in a particular grid and also the density of data which are busy. When the secondary head receives the ‘Bad traffic which will result due to this broadcasting of messages. Head’ message from a CN, it checks if the SPNs are actually The ‘Hello’ message contains the stability time of its sender busy. If not, it generates a ‘Ban’ message and broadcasts to all and hop count. On receiving a ‘Hello’ message, any SPN the nodes. On receiving this message, all the nodes discard that which currently does not have a head checks if the sender’s node and no longer have it as their GHN and add that node’s stability is greater than its own stability. If it is the case it address to a list of banned nodes that they maintain after which simply stops broadcasting its own ‘Hello’ messages and starts a reelection takes place for contention to become the new grid broadcasting the newly received message to all the nodes in its head. hop limit range after storing the stability of the sender as the ‘GHN stability’. If not, it simply discards the message and 2) Misbehaving SPN: After being allotted a specific SPN continues to broadcast its own ‘Hello’ message. After finding for its service, a CN sends a ‘service me’ message to the SPN. the GHN, it sends ‘Grid join’ message to GHN. If a SPN node A malicious SPN on receiving this message does only half the is currently functioning under a grid head and receives a service required and reports completion of the service to both ‘Hello’ message, it checks to see if the sender’s stability is the GHN and the CN. On discovering that the service was not higher than its head’s stability and if true, it starts broadcasting fully completed, the SPN generates a report to the GHN stating the newly received ‘Hello’ message after storing the stability as the essential parameters like the SPN’s id, job id, etc. The GHN ‘GHN stability’. Any CN on receiving a ‘Hello’ message increments its report count for the particular SPN node and simply forwards it. All the nodes store the first two highest waits till the count reaches a particular predefined limit after stability times that they have received through ‘Hello’ which it checks the coalitions against the reported node. If it messages. The node with the second highest stability is happens to be a winning coalition the GHN adds the SPN to the appointed as the’ Secondary head’ of the grid. Any node which list of banned nodes and broadcasts the message on to all other gets elected as the GHN should periodically send ‘Hello’ nodes in the network. messages to all the other nodes and if it fails to do so, it is not considered to be alive by the other nodes and a reelection takes Intrusions in Network Layer place. In the network layer, two highly probable intrusions – Service Processing flooding and flow disruption caused by malicious nodes are proposed. Both of these intrusions are detected by the other Any SPN joining a grid submits resource parameters, nodes and a coalition is formed to report the intruder. stability, position, type of service, service cost, etc to the GHN. A CN while requesting for a service states the type of service 1) Flooding attack: A malicious node starts sending required and cost. The GHN maintains a Grid Maintenance innumerable route request/route discovery message to all the Table (GMT), where in it stores the status of all the SPNs other nodes exhaustively. This affects the network bandwidth under it- their service parameters and their availability. On adversely and paralyses the network. This is resolved by using finding a suitable SPN for the service, it refers the SPN id to parameters like no. of control packets expected and received. the requesting CN and assigns a job id to this service. The CN For a certain time interval, the total no: of control packets then sends a ‘Service me’ message to the allotted SPN which in received is counted and checked with the threshold limit. If it is turn completes the service and sends a ‘Done’ message to the exceeded then GHN is notified of the possibility of the attack. CN and a ‘Comp’ message to the GHN indicating the Grid Head then forms the coalition, calculates the attack value, completion of its assigned task. The CN sends an ‘ACK’ checks whether it is a winning coalition and finds an intrusion. message to the GHN, acknowledging that it got the service 2) Flow disruption attack: A malicious node targets a route completed by the SPN. The GHN now updates the SPN’s between a particular source and destination node and starts status in the GMT. However, if an appropriate SPN is sending junk route discovery messages to all the nodes in that unavailable at a particular instant for a CN, it sends a service particular route. Certain nodes are randomly identified as the denial message prompting the CN to try later for the service target nodes by the attacker nodes. These attacker nodes are a request. few among the nodes which route data packets from and to the Intrusions in Application Layer target nodes. When the ACK messages for the target nodes reach the attackers, they drop the packets instead of forwarding In the paper, two probable intrusions in the application them. This causes the route between the particular source and layer - grid head which itself is found to be malicious and destination to be broken thereby disrupting the flow between a misbehaving service provider nodes are considered. pair of targeted nodes. After a stipulated waiting time, the target nodes report to its grid head. On receiving the report, the 1) Malicious GHN: A GHN sends a service busy / service grid head carries out the similar processing of checking for denial message when to a requesting CN if it does not find a coalitions and spotting a winning coalition. suitable SPN. The CN keeps track of the count of the BUSY messages sent by the GHN. Once it exceeds a predefined threshold limit, the CN reports a ‘Bad Head’ message to the 218 http://sites.google.com/site/ijcsis/ ISSN 1947-5500 (IJCSIS) International Journal of Computer Science and Information Security, Vol. 9, No. 2, 2011 Fig 4.1 Detection Efficiency vs No.of.reporters The above graph shows performance evaluation of our proposed scheme compare to existing system. Where the no of reporters increases the detection efficiency also increases Fig 3.1 Block Diagram of Intrusion Detection System III. PERFORMANCE EVALUATION WITH SIMULATION. Simulation studies are carried out to evaluate the performance of IDS in grid architecture. For simulation the network simulator NS-2.34 is used. NS or the network simulator (also popularly called ns-2, in reference to its current generation) is a discrete event network simulator’s is popularly used in the simulation of routing and multicast protocols, among others, and is heavily Fig 4.2 Intrusion Detected vs Service Time used in ad-hoc networking research. ns supports an array of popular network protocols, offering simulation results for wired The graph shows the variation in the number of intrusions and wireless networks alike. It can be also used as limited- detected to the increase in service time. functionality network simulator. It is popular in academia for its extensibility (due to its open source model) and plentiful online documentation. However, modeling is a very complex task in ns-2, given the need to learn scripting, modeling etc. NS was built in C++ and provides a simulation interface through OTcl,an object –oriented dialect of Tcl. The user describes a network topology by writing OTcl scripts, and then the main NS program simulates that topology with specified parameters. Table 4.1 Parameters for the simulation of IDS Number of Nodes 50 Fig 4.3 Detection Rate of ID in malicious SPN attack Simulation Time 500 Seconds Terrain Dimension (1000,1000) meters Mobility Random Way Point model Mac-Protocol 802.11 Routing Protocols AODV The performance is analyzed by increasing the number of reporters, increasing the service time, increasing the number of nodes reporters, increasing the service time, increasing the number of nodes in Grid Cluster and also the number of attackers Fig 4.4 Detection Rate of ID in flow disruption attack. 219 http://sites.google.com/site/ijcsis/ ISSN 1947-5500 (IJCSIS) International Journal of Computer Science and Information Security, Vol. 9, No. 2, 2011 workshop,2007. ICDCSW’ 07 27 International Conference on The above 4.3 graph shows our proposed scheme detect 22-29 June 2007. Issue Date: 22-29 June 2007 0.98 efficiency rate in malicious SPN attack. The 4.4 graph  A Game Theoretic Formulation for Intrusion Detection in shows our proposed scheme detect 0.91 efficiency rate in flow Mobile Ad Hoc Networks by Animesh Patcha and Jung-Min disruption attack. Park published in International Journal of Network Security, Vol.2, No.2, PP.131–137, Mar. 2006.  A Moderate to Robust Game Theoretical Model for IV. CONCLUSION: Intrusion Detection in MANETs by Hadi Otrok, Noman I have tested the performance of our system in both Mohammed, Lingyu Wang, Mourad Debbabi and Prabir network layer and application layer with underlying grid Bhattacharya published in IEEE International Conference on architecture and in both cases the results have been positive. I Wireless & Mobile Computing, Networking & have analyzed the simulation results and inferred that when Communication there is more number of nodes participating to form coalitions,  Agah. A, Das. S and Basu. K, “Intrusion Detection in there are better chances of obtaining a good winning coalition Sensor Networks: A Non-cooperative Game Approach”, Proc. thereby enhancing the efficiency of detecting intrusions. Also 3rd IEEE International Symposium on Network Computing when there the number of nodes in a grid is larger, the detection time is lesser. I have also deduced that when the and Applications, IEEE press, 2004. service time is lesser, there are more intrusions detected. Also  VetriSelvi V, Shakir Sharfraz and Ranjani Parthasarathi Intrusion detection systems remain efficient in detecting all (2007), “Mobile Ad Hoc Grid using Trace Based Mobility attacks with varying number of attackers. These detections are Model”, Proceedings of the International Conference on Grid done by using the shapely value concept of game theory. The an Pervasive Computing (GPC2007), Publisher:pringer- nodes of a winning coalition are enabled to get an equal share Verlag, LNCS 4459, France, May 2007, pp. 274-285. of the total gain and hence increase their reputation. Our  Xia Wang “Intrusion Detection Techniques in Wireless Ad proposed system is more efficient in detection. HocNetworks”, IEEE 2006 - Proceedings of the 30th Annual International Computer Software and Applications Conference REFERENCES (COMPSAC'2006).  Seema Bandyopadhyay and Subhajyoti Bandyopadhyay “A  A Cooperative Approach for Analyzing Intrusions in Game Theoretic Analysis on the conditions of cooperation in a Mobile Ad hoc Networks by Otrok, Wireless Ad hoc Network”, University of Florida, FL, USA, H. Debbabi,M. Assi,C.Bhattacharya,P. Concordia Univ., 2006. Montreal appeared Distributed computing system 220 http://sites.google.com/site/ijcsis/ ISSN 1947-5500