Paper-7 by shilpabangalore


									                                                                           International Journal of Computer Information Systems,
                                                                                                               Vol. 2, No. 5, 2011

      A Comprehensive Study on Intrusion Detection
     System and Its Prevalent Challenges in Mobile Ad
                      Hoc Networks
                             K.P.Manikandan                 Dr.R.Satyaprasad            Dr.K.Rajasekhararao
                         HOD/MCA                     CSE Department                          PRINCIPAL
                  Chirala Engineering College Achariya Nagarjuna University               KL University
                   Chirala-523157.A.P.,India Nagarjuna Nager-522 510,India             Vadeshwaram-522502,India
                         +919908847047                +919848487478                           +919848452344

Abstract- A Mobile ad hoc network (MANET) has an emerging               is under attack. According to the type of the audit data
dynamic topology in communication arena because of its                  collected, we can classify the IDS into two categories [2]:
anywhere, anytime communication. However, for its deployment
nature, MANETs are more vulnerable to malicious attacks. The                1.   Host-based: It depends on the operating system audit
absolute security in the mobile ad hoc network is very arduous
task to achieve for the reason of its fundamental characteristics,
                                                                                 data to analyze the events resulting from programs or
such as dynamic topology, open medium, limited power and                         users on the host. It is able to detect abnormal actions
limited bandwidth. Even though, the attack prevention measures,                  such as repeated failed access attempts, changes to
such as authentication and encryption, can be used as the first                  system files, and monitoring real time system usage.
line of defense for mitigating the possibilities of attacks. However,            Host-based does not depend on network bandwidth,
these techniques have a limitation on the effects of prevention                  and is usually used in small networks, where each
techniques in general and they are designed for a set of known                   host dedicates its processing power to achieve the
attacks. They are unlikely to prevent newer attacks that are                     task of system monitoring. We have to note that,
designed for evading the existing security measures. For this                    running this type of intrusion detection can slow
reason, there is a need of an efficient mechanism (Intrusion
Detection System) must be deployed to facilitate the identification
                                                                                 down the hosts and decline the performance of the
and isolation of attacks. In this paper we comprehensively                       host battery.
studied and presented various intrusion detection methods and
its most frequent and very common challenges in MANET. We                   2.   Network-based: Generally, it runs at the switches,
then suggested important future research directions.                             gateways, or routers in a wired network in order to
                                                                                 analyze the captured packets that traverse through the
    Keywords-IDS; Architecture of IDS; Misbehaving Nodes in                      network hardware interfaces. On the other hand,
         MANET; Methods of IDS; Techniques of IDS                                MANET does not have such types of network
                                                                                 elements, where the IDS can collect audit data for the
                                                                                 entire network. In wired network, network traffic is
                        I.      INTRODUCTION
                                                                                 monitored on the wired network segment, while in ad
                                                                                 hoc network, nodes can only monitor network within
     Intrusion detection is a security mechanism which is used
                                                                                 their observable radio range. In contrary to firewall,
to identify those who are trying to break and misuse the
                                                                                 network based intrusion detection can analyze the
system without authorization and those who have legitimate
                                                                                 entire packet not only the header. They are able to
access to the system but misusing the privileges [3]. Intrusion
                                                                                 look at the payload within a packet, in order to know
detection can be defined as a process of monitoring activities
                                                                                 which host application has been accessed, and to raise
in a system which can be a computer or a network. The
                                                                                 alerts when an adversary tries to compromise such
mechanism that performs this task is called an Intrusion
                                                                                 application. Network-based, in wired network, can
Detection System (IDS). If the intrusion is detected, a
                                                                                 run as black box to monitor the entire network.
response can be initiated to prevent or minimize damage to the
system. Some assumptions are made in order for intrusion
                                                                                 Based on detection techniques, IDS can also be
detection systems to work [1]. The first assumption is that user
                                                                                 classified into three categories as follows [2].
and program activities are observable. The second assumption,
which is more important, is that normal and intrusive activities
                                                                            1.   Anomaly detection systems: The normal profiles (or
must have distinct behaviors, as intrusion detection must
                                                                                 normal behaviors) of users are kept in the system.
capture and analyze system activity to determine if the system
                                                                                 The system compares the captured data with these
                                                                                 profiles, and then treats any activity that deviates

       Special Issue                                           Page 37 of 52                                    ISSN 2229 5208
                                                                             International Journal of Computer Information Systems,
                                                                                                                 Vol. 2, No. 5, 2011
           from the baseline as a possible intrusion by informing              identify possible intrusions, as well as initiating a
           system administrators or initializing a proper                      response independently.
                                                                        3.     The hierarchical architecture is an extended version
    2.     Misuse detection systems: The system keeps patterns                 of the distributed and collaborative IDS architecture.
           (or signatures) of known attacks and uses them to                   This architecture proposes using multi-layered
           compare with the captured data. Any matched pattern                 network infrastructures where the network is divided
           is treated as an intrusion. Like a virus detection                  into clusters. The architecture has cluster heads, in
           system, it cannot detect new kinds of attacks.                      some sense, act as control points which are similar to
                                                                               switches, routers, or gate ways in wired networks.
    3.     Specification-based detection: The system defines a
           set of constraints that describe the correct operation       4.     The mobile agent for IDS architecture uses mobile
           of a program or protocol. Then, it monitors the                     agents to perform specific task on a nodes behalf the
           execution of the program with respect to the defined                owner of the agents. This architecture allows the
           constraints.                                                        distribution of the intrusion detection tasks. There are
                                                                               several advantages using mobile agents [[7], [5]], for
     In this paper, IDS architectures in MANET have been                       intrusion detection.
classified so that each one is suitable for different network
infrastructures. Then different techniques for intrusion                         III.    MISBEHAVING NODES IN MANETS
detection are investigated and compared. Further we discuss
the common challenges for IDS in MANET and finally the                   Those nodes in the network which cause dysfunction in
conclusion and future directions are given in the last section.     network and damage the other nodes are called Misbehaving
                                                                    or Critical nodes. Mobile Ad hoc networks (MANETs) like
                                                                    other wireless networks are liable to active and passive
             II.   ARCHITECTURE FOR IDS IN MANETS                   attacks. In the passive attacks, only eavesdropping of data
                                                                    happens; while in the active attacks, operations such as
     The network infrastructures that MANETs can be                 repetition, changing, or deletion of data are necessitated.
configured to are either flat or multi-layer, depending on the      Certain nodes in MANETS can produce attacks which cause
applications. Therefore, the optimal IDS architecture for a         congestion, distribution of incorrect routing information,
MANET may depend on the network infrastructure itself [4].          services preventing proper operation, or disable them [13].
In a flat network infrastructure, all nodes are considered equal,
thus it may be suitable for applications such as virtual                 Those nodes in the network which perform active attacks
classrooms or conferences. On the contrary, some nodes are          to damage other nodes and cause disconnection in the network
considered different in the multi-layered network                   are called Malicious or Compromised nodes. Also, those
infrastructure. Nodes may be partitioned into clusters with one     nodes which do not send the received packets (used for storing
clusterhead for each cluster. To communicate within the             battery life span to be used for their own communications) are
cluster, nodes can communicate directly. However,                   called Selfish nodes [4]. A Selfish node impacts the normal
communication across the clusters must be done through the          network operations by not participating in routing protocols or
clusterhead. This infrastructure might be well suited for           by not sending packets. A Malicious node may use the routing
military applications. There are four main architectures on the     protocols to announce that it has the shortest route to the
network [6], as follows: 1) Standalone IDS, 2) Distributed and      destined node for sending the packets. In this situation, this
Collaborative IDS, 3) Hierarchical IDS, and 4) Mobile Agent         node receives the packets and does not send them. This
for Intrusion Detection Systems.                                    operation is called "blackhole" attack [1]. Malicious nodes
                                                                    stop the operation of a routing protocol by changing the
    1.     In the standalone architecture, the IDS runs on each     routing information or by structuring false routing
           node to determine intrusions independently. There is     information; this operation is called the "wormhole" attack. As
           no cooperation and no data exchanged among the           two malicious nodes create a wormhole tunnel and are
           IDS on the network. This architecture is also more       connected to each other through a private link, it can be
           suitable for flat network infrastructure than for        concluded that they have a detour route in the network. This
           multilayered network infrastructure.                     allows a node to create an artificial route in the current
                                                                    network and shorten the normal currency of routing messages
    2.     The distributed and collaborative architecture has a     in a way that the massages will be controlled by two attackers.
           rule that every node in the MANET must participate
           in intrusion detection and response by having an IDS          Selfish nodes can intensively lower the efficiency of the
           agent running on them. The IDS agent is responsible      network since they do not easily participate in the network
           for detecting and collecting local events and data to    operations. Malicious nodes can easily perform integrity
                                                                    attacks by changing the protocol fields in order to destroy the

         Special Issue                                      Page 38 of 52                                     ISSN 2229 5208
                                                                              International Journal of Computer Information Systems,
                                                                                                                  Vol. 2, No. 5, 2011
transportation of the packets, to deny access among legal                    B. Local Intrusion Detection System (LIDS)
nodes, and can perform attacks against the routing
computations. Spoofing is a special case of integrity attacks              Albers et al. [8] proposed a distributed and collaborative
with which a malicious node, due to lack of identity                 architecture of IDS by using mobile agents. A Local Intrusion
verification in the special routing protocols, forges the identity   Detection System (LIDS) is implemented on every node for
of a legal node. The result of such an attack by malicious           local concern, which can be extended for global concern by
nodes is the forgery of the network Topology which creates           cooperating with other LIDS. Two types of data are exchanged
network loops or partitioning of the network. The lack of            among LIDS: security data (to obtain complementary
integrity and authentication in the routing protocols creates        information from collaborating nodes) and intrusion alerts (to
forged or false messages [15].                                       inform others of locally detected intrusion). In order to analyze
                                                                     the possible intrusion, data must be obtained from what the
If a node participated in routes finding but does not forward a      LIDS detect on, along with additional information from other
packet, it is a misleading node and misleads other nodes. But        nodes. Other LIDS might be run on different operating
if a node does not participate in routes finding, it is a selfish    systems or use data from different activities such as system,
node [12].                                                           application, or network activities; therefore, the format of this
                                                                     raw data might be different, which makes it hard for LIDS to
  IV.       DIFFERENT METHODS FOR INTRUSION DETECTION                analyze. However, such difficulties can be solved by using
                            SYSTEM                                   Simple Network Management Protocol (SNMP) data located
                                                                     in Management Information Base (MIBs) as an audit data
     A. Distributed and Cooperative IDS                              source. Such a data source not only eliminates those
                                                                     difficulties, but also reduces the increase in using additional
          Zhang and Lee also proposed the model for                  resources to collect audit data if an SNMP agent is already run
distributed and cooperative IDS as shown in Figure 1 [1]. The        on each node. For the methodology of detection, Local IDS
model for an IDS agent is structured into six modules. The           Agent can use either anomaly or misuse detection. However,
local data collection module collects real-time audit data,          the combination of two mechanisms will offer the better
which includes system and user activities within its radio           model. Once the local intrusion is detected, the LIDS initiate a
range. This collected data will be analyzed by the local             response and inform the other nodes in the network. Upon
detection engine module for evidence of anomalies. If an             receiving an alert, the LIDS can protect itself against the
anomaly is detected with strong evidence, the IDS agent can          intrusion.
determine independently that the system is under attack and
initiate a response through the local response module (i.e.,
alerting the local user) or the global response module (i.e.,
deciding on an action), depending on the type of intrusion, the
type of network protocols and applications, and the certainty
of the evidence. If an anomaly is detected with weak or
inconclusive evidence, the IDS agent can request the
cooperation of neighboring IDS agents through a cooperative
detection engine module, which communicates to other agents
through a secure communication module.

                                                                                        Figure 2: LIDS Architecture in a Mobile Node

                                                                             C. Multi-Sensor Intrusion Detection

                                                                          Kachirski and Guha [9] proposed a multi-sensor intrusion
                                                                     detection system based on mobile agent technology. The
                 Figure 1: A Model for an IDS Agent                  system can be divided into three main modules, each of which
                                                                     represents a mobile agent with certain functionality, i.e.,
                                                                     monitoring, decision-making and initiating a response.

        Special Issue                                        Page 39 of 52                                        ISSN 2229 5208
                                                                               International Journal of Computer Information Systems,
                                                                                                                   Vol. 2, No. 5, 2011
                                                                              E. Zone Based IDS

                                                                           B.Sun [11] proposed Zone Based IDS (ZBIDS). In the
                                                                      system, the MANET is spitted into non overlapping zones
                                                                      (zone A to zone I). The nodes can be categorized into two
                                                                      types: the intra zone node and the inter-zone node (or a
                                                                      gateway node). Each node has an IDS agent run on it. This
                                                                      agent is similar to the IDS agent proposed by Zhang and Lee.
                                                                      Others components on the system are data collection module
                                                                      and detection engine, local aggregation and correlation
                                                                      (LACE) and global aggregation and correlation (GACE). The
Figure 3: Layered Mobile Agent Architecture                           data collection and the detection engine are responsible for
                                                                      collecting local audit data (for instance, system call activities,
          Monitoring agent: Two functions are carried out at        and system log files) and analyzing collected data for any sign
            this class of agent: network monitoring and host          of intrusion respectively. The remainder, LACE module is
            monitoring.                                               responsible for combining the results of these local detection
                                                                      engines and generating alerts if any abnormal behavior is
          Action agent: Every node also hosts this action agent.     detected. These alerts are broadcasted to other nodes within
           The action agent can initiate a response, such as          the same zone. However, for the GACE, its functionality
           terminating the process or blocking the node from          depends on the type of the node. If the node is an intra-zone
           the network, if it meets intrusion activities where it     node, it only sends the generated alerts to the inter-zone nodes.
                                                                      Thus, if the node is an inter-zone node, it receives alerts from
          Decision agent: The decision agent is run only on          other intra-zone nodes, aggregates and correlates those alerts
           certain nodes, mostly at the nodes that run network        with its own alerts, and then generates alarms. The intrusion
           monitoring agents. If the local detection agent cannot     response module is responsible for handling the alarms
           make a decision on its own due to insufficient             generated from the GACE.
           evidence of an intrusion, it will report to this
           decision agent in order to investigate deeply on the
           suspected node. Since nodes move arbitrarily across
           the network, a static hierarchy is not suitable for such
           dynamic network topology.

     D. Dynamic Intrusion Detection
     Sterne et al. [10] proposed a dynamic intrusion detection
hierarchy that is potentially scalable to large networks use
clustering. This method is similar with Kachirski and Guha
[9], but it can be structured in more than two levels. Thus,
nodes on first level are cluster heads, while nodes on the
second level are leaf nodes. In this model, every node has the        Figure 5: ZBIDS for MANETs
task to monitor, log, analyze, respond, and alert or report to
cluster heads. The Cluster heads, in addition, must also
perform: 1) Data fusion/integration and data filtering, 2)
Computations of intrusion, and 3) Security Management.

           Figure 4: Dynamic Intrusion Detection Hierarchy
                                                                                         Figure 6: An IDS agent in ZBIDS

         Special Issue                                        Page 40 of 52                                        ISSN 2229 5208
                                                                                     International Journal of Computer Information Systems,
                                                                                                                            Vol. 2, No. 5, 2011
          V.      INTRUSION DETECTION TECHNIQUES FOR                         that it knows, the path metric can be calculated by combining
                     MISBEHAVIOR NODE IN MANETS                              the node rating together with link reliability, which is collected
                                                                             from past experience. Obtaining the path metric for all
                                                                             available paths, the pathrater can choose the path with the
     Since there is no infrastructure in mobile ad hoc networks,
                                                                             highest metric. In addition, if there is no such link reliability
each node must rely on other nodes for cooperation in routing
                                                                             information, the path metric enables the pathrater to select the
and forwarding packets to the destination. Intermediate nodes
                                                                             shortest path too. As a result, paths containing misbehaving
might agree to forward the packets but actually drop or modify
                                                                             nodes will be avoided. From the result of the simulation, the
them because they are misbehaving. There are several
                                                                             system with these two techniques is quite effective for
proposed techniques and protocols to detect such misbehavior
                                                                             choosing paths to avoid misbehaving nodes. However, those
in order to avoid those nodes, and some schemes also propose
                                                                             misbehaving nodes are not punished. In contrast, they even
punishment as well [16, 17].
                                                                             benefit from the network. In another word, they can use
                                                                             resources of the network - other nodes forward packets for
                                                                             them, while they forward packets for no one, which save their
                                                                             own resources. Therefore, misbehaving nodes are encouraged
                                                                             to continue their behaviors.

Figure 7: How watchdog works: Although node B intends to transmit a packet       B. Confidant
to node C, node A could overhear this transmission.
                                                                                 Buchegger and LeBoudec [16] proposed an extension to
     A. Watchdog and Pathrater
                                                                             DSR protocol called CONFIDANT (Cooperation Of Nodes,
                                                                             Fairness In Dynamic Ad-hoc NeT-works), which is similar to
     Two techniques were proposed by Marti, Giuli, and Baker
                                                                             Watchdog and Pathrater. Each node observes the behaviors of
[18], watchdog and pathrater, to be added on top of the
                                                                             neighbor nodes within its radio range and learns from them.
standard routing protocol in ad hoc networks. The standard is
Dynamic Source Routing protocol (DSR) [19]. A watchdog
                                                                                  This system also solves the problem of Watchdog and
identifies the misbehaving nodes by eavesdropping on the
                                                                             Pathrater such that misbehavior nodes are punished by not
transmission of the next hop. A pathrater then helps to find the
                                                                             including them in routing and not helping them on forwarding
routes that do not contain those nodes.
                                                                             packets. Moreover, when a node experiences a misbehaving
                                                                             node, it will send a warning message to other nodes in the
     In DSR, the routing information is defined at the source
                                                                             network, defined as friends, which is based on trusted
node. This routing information is passed together with the
message through intermediate nodes until it reaches the
destination. Therefore, each intermediate node in the path
                                                                                  The process of how they work can be divided into two
should know who the next hop node is. In addition, listening
                                                                             parts: the process to handle its own observations and the
to the next hop's transmission is possible because of the
                                                                             process to handle reports from trusted nodes.
characteristic of wireless networks - if node A is within range
of node B, A can overhear communication to and from B.
                                                                                       From observations: The monitor uses a
      Figure 7 shows how the watchdog works. Assume that                                “neighborhood watch" to detect any malicious
node S wants to send a packet to node D, which there exists a                           behaviors within its radio range, i.e., no forwarding,
path from S to D through nodes A, B, and C. Consider now                                unusually frequent route update, etc. (This is similar
that A has already received a packet from S destined to D. The                          to the watchdog in the previous scheme) If a
packet contains a message and routing information. When A                               suspicious event is detected, the monitor then reports
forwards this packet to B, A also keeps a copy of the packet in                         to the reputation system. At this point, the reputation
its buffer. Then, it promiscuously listens to the transmission of                       system performs several checks and updates the
B to make sure that B forwards to C. If the packet overheard                            rating of the reported node in the reputation table. If
from B (represented by a dashed line) matches that stored in                            the rating result is unacceptable, it passes the
the buffer, it means that B really forwards to the next hop                             information to the path manager, which then removes
(represented as a solid line). It then removes the packet from                          all paths containing the misbehavior node. An
the buffer. However, if there's no matched packet after a                               ALARM message is also sent by the trust manager to
certain time, the watchdog increments the failures counter for                          warn other nodes that it considers as friends.
node B. If this counter exceeds the threshold, A concludes that
B is misbehaving and reports to the source node S.                                     From trusted nodes: When the monitor receives an
                                                                                        ALARM message from its friends, the message will
    Pathrater performs the calculation of the”path metric" for                          first be evaluated by the trust manager for the
each path. By keeping the rating of every node in the network                           trustworthiness of the source node. If the message is
                                                                                        trustworthy, this ALARM message, together with the

        Special Issue                                               Page 41 of 52                                      ISSN 2229 5208
                                                                           International Journal of Computer Information Systems,
                                                                                                               Vol. 2, No. 5, 2011

         level of trust, will be stored in the alarm table. All        D. Ocean
         ALARM messages of the reported node will then be
         combined to see if there is enough evidence to                 Bansal and Baker [20] also proposed an extension on top
         identify that it is malicious. If so, the information     of the DSR protocol called OCEAN (Observation-based
         will be sent to the reputation system, which then         Cooperation Enforcement in Ad hoc Networks). OCEAN also
         performs the same functions as described in the           uses a monitoring system and a reputation system. However,
         previous paragraph.                                       in contrast to the previous approaches above, OCEAN relies
                                                                   only on its own observation to avoid the new vulnerability of
     Since this protocol allows nodes in the network to send       false accusation from second-hand reputation exchanges.
alarm messages to each other, it could give more opportunities     Therefore, OCEAN can be considered as a stand-alone
for attackers to send false alarm messages that a node is          architecture. OCEAN categorizes routing misbehavior into
misbehaving while it's actually not. This is one form of denial    two types: misleading and selfish. If a node has participated in
of service attacks.                                                the route discovery but not packet forwarding, this is
                                                                   considered to be misleading as it misleads other nodes to route
    C. Core                                                        packets through it. But if a node does not even participate in
                                                                   the route discovery, it is considered to be selfish.
    Michiardi and Molva [17] presented a technique to detect
a specific type of misbehaving nodes, which are selfish nodes,          In order to detect and mitigate the misleading routing
and also force them to cooperate. Similar to those in Section A    behaviors, after a node forwards a packet to a neighbor, it
and B, this technique is based on a monitoring system and a        buffers the packet checksum and monitors if the neighbor
reputation system, which includes both direct and indirect         attempts to forward the packet within a given time. Then, a
reputation from the system as will be described shortly.           negative or positive event is given as the result of the
                                                                   monitoring to update the neighbor rating. If the rating falls
     As nodes sometimes do not intentionally misbehave, i.e.,      below the faulty threshold, that neighbor node is added to a
battery condition is low, these nodes should not be considered     faulty list which will be added in the RREQ as an avoid-list. In
as misbehaving nodes and excluded from the network. To do          addition, all traffic from the faulty neighbor node will be
this, the reputation should be rated based on past reputation,     rejected. Nonetheless, the faulty timeout is used to allow the
which is zero (neutral) at the beginning. In addition,             faulty node to join back to the network in case that it might be
participation in the network can be categorized into several       false accused or it behaves better.
functions such as routing discovery (in DSR) or forwarding
packets. Each of these activities has different level of effects        Each node also has a mechanism of maintaining chip
to the network; for example, forwarding packets has more           counts for each neighbor to mitigate the selfish behavior. A
effect on the performance of the system than that of routing       neighbor node earns chips when forwarding a packet on behalf
discovery. Therefore, significance weight of functions should      of the node and loses ships when asking the node to forward a
be used in the calculation of the reputation. Like                 packet. If the chip count of the neighbor is below the
CONFIDANT, each node can receive a report from other               threshold, packets coming from that neighbor will be denied.
nodes. However, the difference is CORE allows only positive
reports to be passed while negative reports are passed in                  V.   CONCLUSION AND FUTURE DIRECTIONS
CONFIDANT. In another word, CORE prevents false
accusation, thus, it also prevents a denial of service attack,          As the use of mobile ad hoc networks (MANET) has
which cannot be done in CONFIDANT. The negative rating is          increased, the security in MANETs has become of paramount
given to a node only from the direct observation when the          importance. With the nature of mobile ad hoc networks,
node does not cooperate, which results in the decreased            almost all of the intrusion detection systems (IDSs) are
reputation for that node. The positive rating, in contrast, is     structured to be distributed and have a cooperative
given from both direct observation and positive reports from       architecture. The number of new attacks is likely to increase
other nodes, which results in the increased reputation. CORE       quickly and those attacks should be detected before they can
can then be said to have two components, the watchdog              do any harm to the systems or data. These features present
system and the reputation system. The watchdog modules, one        new challenges for intrusion detection techniques and as such,
for each function, work the same way as in the previous two        achieving security in ad hoc network is more difficult
schemes above. For the reputation system, it maintains several     compared to wired networks. In this study paper, we briefly
reputation tables, one for each function and one for               explained the various intrusion detection methods and also
accumulated values for each node. Therefore, if there is a         analyzed some challenges and problems of intrusion detection
request from a bad reputation node (the overall reputation is      in MANET. There is an utmost need of a general foundation
negative), the node will be rejected and not be able to use the    for all intrusion detection and supporting activities that can
network.                                                           able to adapt dynamic network conditions. These activities
                                                                   include detecting all types of attack on MANET; collecting,

      Special Issue                                        Page 42 of 52                                   ISSN 2229 5208
                                                                                      International Journal of Computer Information Systems,
                                                                                                                          Vol. 2, No. 5, 2011
and correlating intrusion events; responding to intrusions; and                [16] S. Buchegger and J. Le Boudec, “Performance Analysis of the CONFI-
                                                                               DANT Protocol (Cooperation Of Nodes - Fairness In Dynamic Ad-hoc
managing intrusion detection and all related functions to cater                NeTworks)," Proceedings of the 3rd ACM International Symposium on
for a secure communication.                                                    Mobile Ad Hoc Networking and Computing (MobiHoc'02), pp. 226-336,
                                                                               June 2002.

                                                                               [17] P. Michiardi and R. Molva, “Core: A Collaborative Reputation
                            REFERENCES                                         mechanism to enforce node cooperation in Mobile Ad Hoc Networks," Com-
                                                                               munication and Multimedia Security Conference (CMS'02), September 2002.
[1] Y. Zhang, W. Lee, and Y. Huang, “Intrusion Detection Techniques for
Mobile Wireless Networks," ACM/Kluwer Wireless Networks Journal (ACM           [18] S. Marti, T. J. Giuli, K. Lai, and M. Baker, \Mitigating Routing
WINET), Vol. 9, No. 5, September 2003.                                         Misbehavior in Mobile Ad Hoc Networks," Proceedings of the 6th Annual
                                                                               International Conference on Mobile Computing and Networking (Mo-
[2] A. Mishra, K. Nadkarni, and A. Patcha, “Intrusion Detection in Wire-less   biCom'00), pp. 255-265, August 2000.
Ad Hoc Networks," IEEE Wireless Communications, Vol. 11, Issue 1, pp. 48-
60, February 2004.                                                             [19] D. B. Johnson, and D. A. Maltz, ”The Dynamic Source Routing Protocol
                                                                               for Mobile Ad Hoc Networks (Internet-Draft)," Mobile Ad-hoc Network
[3] Marjan Kuchaki Rafsanjani, Ali Movaghar, and Faroukh Koroupi               (MANET) Working Group, IETF, October 1999.
“Investigating Intrusion Detection Systems in MANET and Comparing IDSs
for Detecting Misbehaving Nodes” World Academy of Science, Engineering         [20] S. Bansal and M. Baker,”Observation-Based Cooperation Enforcement in
and Technology, 44, 2008.                                                      Ad hoc Networks," Research Report cs.NI/0307012, Stanford Uni- versity,
[4] P. Brutch and C. Ko, “Challenges in Intrusion Detection for Wireless Ad-
hoc Networks," Proceedings of 2003 Symposium on Applications and the
Internet Workshop, pp. 368-373, January 2003.

[5] C. Krugel and T. Toth. “Applying mobile agent technology to intrusion
detection”. In ICSE Workshop on Software Engineering and Mobility, 2001.

[6] T. Anantvalee and J. Wu. “A Survey on Intrusion Detection in Mobile Ad
Hoc Networks”, Book Series Wireless Network Security, Springer, pp. 170 –
196, ISBN: 978-0-387-28040-0 (2007).

[7] A.J. Menezes, S.A. Vanstone, P.C. Van Oorschot, “Handbook of Applied
Cryptography”. CRC Press, Inc., USA (2001)

[8] P. Albers, O. Camp, et al. “Security in Ad Hoc Networks: a General
Intrusion Detection Architecture Enhancing Trust Based Approaches”.
Proceedings of the 1st International Workshop on Wireless Information
Systems (WIS-2002), pp. 1-12, April 2002.

[9] O. Kachirski, R. Guha. “Effective Intrusion Detection Using Multiple
Sensors in Wireless Ad Hoc Networks.” Proceedings of the 36th Hawaii
International Conference on System Sciences (HICSS’03), IEEE, 2003

[10] D. Sterne, P. Balasubramanyam, et al. “A General Cooperative Intrusion
Detection Architecture for MANETs”. In Proceedings of the 3rd IEEE
International Workshop on Information Assurance (IWIA'05), pp. 57-70, 2005

[11] B. Sun, K.Wu, and U. W. Pooch. “Alert Aggregation in Mobile Ad Hoc
Networks”. The 2003 ACM Workshop on Wireless Security in conjuction
with the 9th Annual International Conference on Mobile Computing and
Networking (MobiCom'03), pp. 69-78, 2003

[12] Y. Xiao, X. Shen, and D.Z. Du, Wireless/Mobile Network Security,
Springer, 2006. Ch.7.

[13] A. Karygiannis, E. Antonakakis, and A. Apostolopoulos, “Detecting
critical nodes for MANET intrusion detection systems,” in Proc. 2nd
International Workshop on Security, Privacy and Trust in Pervasive and
Ubiquitous Computing, 2006.

[14] L. Blazevic, L. Buttyan, S. Capkun, S. Giordano, J. Hubaux, and J. Le
Boudec, “Self-organization in mobile ad-hoc networks: the approach of
terminodes,” IEEE Communications Magazine, vol. 39, no. 6, pp. 166–
174, 2001.

[15] M. K. Rafsanjani, A. Movaghar, “Identifying monitoring nodes in
MANET by detecting unauthorized and malicious nodes,” in Proc. 3rd IEEE
Int. Symposium on Information Technology (ITSIM’08), August 2008, pp.

        Special Issue                                                 Page 43 of 52                                         ISSN 2229 5208

To top