Figure 1. Time-based operation of AIDP.

Transcription

1 Adaptve Intruson Detecton & Preventon of Denal of Servce attacs n MANETs Adnan Nadeem Centre for Communcaton Systems Research Unversty of Surrey, UK [email protected] ABSTRACT Moble ad-hoc networs (MANETs) are well nown to be vulnerable to varous attacs, due to features such as lac of centralzed control, dynamc topology, lmted physcal securty and energy constraned operatons. In ths paper we focus on preventng denal-of-servce (DoS) attacs. As an example, we consder ntruders that can cause DoS by explotng the route dscovery procedure of reactve routng protocols. We show the unsutablty of tools such as control chart, used n statstcal process control (SPC), to detect DoS and propose an anomaly-based ntruson detecton system that uses a combnaton of ch-square test & control chart to frst detect ntruson and then dentfy an ntruder. When the ntruder s solated from the networ we show reduced overhead and ncreased throughput. Smulaton results show that AIDP performs well at an affordable processng overhead over the range of scenaros tested. Categores and Subject Descrptors D. [Computer-Communcaton Networs]: Wreless communcaton, Securty and protecton. General Terms Securty, Algorthms. Keywords Ad-hoc networ securty, ntruson detecton & preventon.. INTRODUCTION MANETs have a decentralzed archtecture and lac of centralzed control; consequently, mechansms that enforce securty present a partcular challenge. In fxed networs, ntruson detecton and preventon (IDP) [] acts as a second layer of defence beyond a frewall; whereas n MANETs IDP becomes the front lne of defence to protect nodes from attacs. There are two ID technques nown as msuse-based ntruson detecton (MBID) and anomaly-based ntruson detecton (ABID). MBID mantans a nowledge base contanng sgnatures or patterns of nown attacs and loos for these patterns n an attempt to detect them. MBID has a potentally low false detecton rate but t can only detect attacs whose sgnatures are n the database. On the other hand ABID can flag observed actvtes that devate sgnfcantly from the establshed normal profle. ABID not only provdes early warnngs of potental ntrusons but also can detect attempts to explot new and unforeseen vulnerabltes; however t s more prone to generate false postves than MBID. Routng protocols n MANETs are generally classfed as ether proactve or reactve. Proactve routng protocols such as DSDV and Mchael Howarth Centre for Communcaton Systems Research Unversty of Surrey, UK [email protected] WRP are not effcent because of ther routng traffc overhead and therefore reactve routng protocols such as AODV and DSR are most frequently used n MANETs. However, both AODV and DSR operate on the assumpton that all nodes n the networ can trust each other and there are no malcous ntruder nodes. Ths s not true n all cases, and therefore we beleve that there s a need to use an IDP system to provde secure routng n MANETs. In ths paper we llustrate how ntruders can explot the route dscovery procedure of reactve routng protocol to cause certan DoS attacs n MANET. We then loo at the detecton of DoS; we assess control chart, a tool used n statstcal process control (SPC)[] and show that t generate low detecton & hgh false alarm rates. We therefore consder a two stage process: we employ the ch-square goodness of ft test [3] as an ABID mechansm to ntally chec the overall behavour of the networ and ndcate ntruson; n the event of a postve result we then use control chart to dentfy ntrudng nodes. Fnally we solate the nodes from the networ to prevent ntruson. We call our algorthm Adaptve Intruson Detecton & Preventon (AIDP). Secton of ths paper descrbes related research & challenges n ID and securng MANETs. Secton 3 descrbes DoS attacs and ndcates how an ntruder can cause DoS n MANETs. Secton 4 presents our proposed algorthm. Smulatons and ther result are llustrated n Secton 5. We summarze our results and future wor n Secton 6.. RELATED RESEARCH & CHALLENGES. Securng MANETs SEAD was proposed n [4] as a secure routng protocol that uses a one-way hash functon to provde authentcaton for the proactve routng protocol DSDV. The secure routng mechansm ARAN was proposed n [5]. A smlar approach Aradne [6] has been proposed for end-to-end authentcaton based on shared ey pars. These methods provde authentcated routng & ensure ntegrty of routng nformaton manly to prevent routng attacs caused by modfcaton of control pacets or forged routng nformaton. However, a MANET node can, wthout modfyng any control pacets explot the route dscovery procedure of reactve routng protocols to cause DoS attacs as we descrbe below n secton 3. Wang, Lu and Bhargava [7] performed a vulnerablty analyss of AODV n whch they observed that on-demand route queres enable real tme attacs. Some researchers have proposed methods to detect ths: for example Png and Zhang [8] consdered a route request (RREQ) floodng attac n MANETs. They proposed a RREQ floodng preventon mechansm based on neghbour s supervson that mantans a prorty queue of the ncomng RREQs. Ths mechansm reduces the prorty of RREQ generated by a specfc node f a hgher rate of ncomng queres from that partcular node s observed. However n some applcatons of MANETs there can be specfc nodes that generate more traffc; for example, n on-the-fly networs formed for a semnar and yet Png & Zhang s method wll remove requests from the queue above a certan ncomng request rate

2 n all cases. In another example Yu and Ray [9] defned two types of njectng traffc attac n MANETs as query and data pacets floodng. They detect the attac f requests are made a certan number of tmes n t sec. These methods are based on statc thresholds to detect malcous RREQ floodng whch n our opnon does not cope well wth the dynamcally changng envronment of MANETs. In addton, there s also the need to address the ssue of solatng a node once t s detected as an attacer.. Intruson Detecton ID n MANETs s more challengng than n fxed networs because the former lac a concentraton pont where traffc can be analyzed, and because of ther dynamcally changng topology and lmted computatonal ablty of nodes. Zhang and Lee argue [] that many ID technques developed for fxed wred networs are not applcable n MANETs and they proposed an ID and response mechansm n whch an Intruson Detecton System (IDS) agent performs local data collecton and local detecton. They then trgger a cooperatve detecton and global response when a node reports an ntruson. Nguyen et al. [] proposed ID through a statstcal anomaly detecton approach called Prncpal Component Analyss (PCA) whch s used as an outler detector method for hgh speed fxed networs. Ye et al. [] used a probablstc technque for anomaly detecton n fxed networs. They nvestgated audt data by usng varous probablstc technques ncludng decson tree, Hotellng s T test, ch-square test and Marov chan for detectng ntruson nto the nformaton system on fxed networs and concluded that ch square test based on frequency property provdes good ID performance. Ye and Chen [3] also proposed an anomaly detector based on the ch-square test for detectng ntruson n fxed networs. They concluded that the results demonstrate promsng performance n terms of hgh detecton and low false alarm rate. The ch-square test has been successfully used for ABID n fxed networ but n a MANET where there s no exstng nowledge of normal behavour we have extra challenges to apply these ABID technques. 3. DENIAL OF SERVICE ATTACKS DoS s an attempt to mae resources or servces unavalable to ther ntended users. Dstrbuted DoS s a severe threat for MANETs because they can be crashed due to ther lmted battery power or ther networ can easly become congested due to ts relatvely lmted bandwdth compared to fxed networs. Some examples of DoS attac on reactve routng protocol such as AODV and DSR are as follows: Sleep Deprvaton: here [4] the attacer nteracts wth the node n a manner that appears to be legtmate; however the purpose of nteracton s to eep the vctm node out of ts power conservng sleep mode. An ntruder can cause sleep deprvaton by explotng the vulnerablty of the route dscovery process of protocols such as AODV and DSR, for example, by sendng a RREQ pacet perodcally so that the vctm node has to process these pacets causng exhauston of ts battery power. Rushng Attac: In order to lmt the control pacet overhead an on-demand protocol only requres nodes to forward the frst RREQ that arrves for each route dscovery. An ntruder can explot ths property by spreadng RREQ pacets qucly throughout the networ so as to suppress any later legtmate RREQ pacets [5]. In the wor descrbed n ths paper we have ntally consdered vulnerabltes n AODV but AIDP can be appled to other routng protocols. 3. Vulnerabltes n AODV AODV s desgned for use n networs where the nodes can all trust other nodes and can assume there s no malcous ntruder node. Consderng the operaton of AODV [6], specfcally ts route dscovery process, t s hghly vulnerable to DoS attacs such as sleep deprvaton and the rushng attac. In the route dscovery procedure of AODV when a node needs a route to a destnaton, t broadcasts a RREQ pacet contanng a broadcast d, source & destnaton addresses, hop count and destnaton sequence number. After broadcastng a node s requred to wat for a specfc tme for a RREP or other control pacet. The node may try agan once ths tme expres. The source node s expected to use an expandng rng search technque for controlled dssemnaton of RREQs n the networ. Ths means that after sendng a RREQ wth Tme to Lve (TTL) feld set to one the node can resend the RREQ wth an ncremented TTL value after watng for rng traversal tme. The node can repeat ths process untl ether a RREP or route error s receved or the TTL value reaches ts maxmum value. After that the node can retry the same path dscovery for a specfc destnaton up to some defned maxmum number of RREQ retres. 3. Malcous RREQ Floodng We ntally focus on malcous RREQ floodng (MRF) whch can cause DoS attacs such as sleep dervaton & rushng attac n MANETs. In MRF an ntruder explots the route dscovery process of a reactve routng protocol such as AODV to cause DoS n the networ. An ntruder can flood the networ wth malcous RREQs wthout beng detected by other nodes n the followng ways: Malcous RREQ Floodng : an ntruder broadcasts a RREQ wth a destnaton IP address that s wthn the doman but does not exst. Ths wll compel all nodes to forward ths RREQ because no-one wll have the route for ths destnaton IP address. Malcous RREQ Floodng : after broadcastng a RREQ an ntruder does not wat for the rng traversal tme and contnues resendng the RREQ for same destnaton wth hgher TTL value. 4. AIDP We now descrbe AIDP, whch uses ABID to detect DoS attacs caused by MRF n MANETs. AIDP conssts of two modules: a tranng and a testng module as explaned later n ths secton. 4. Model Assumptons & Termnologes We dsregard attacs amed at the physcal and ln layers. We consder applcatons of MANETs formed on-the-fly for group collaboraton such as rescue operatons or semnars. We note that an ABID requres data of only normal actvtes contanng audt traces and traffc patterns of normal events to buld a tranng profle. However, n contrast wth fxed networs, data resources such as [7] that reflect normal actvtes or events are not avalable for on-the-fly MANETs applcatons. In general the normal operaton of MANETs s not nown. Therefore we assume that the ntal behavour of the networ formed on-the-fly durng the tranng phase s free from anomales. To llustrate the mplementaton of AIDP we assume a clustered MANET organzaton. We select the most capable nodes n terms of ther processng abltes as cluster head (CH) and the others nodes becomes cluster nodes (CN). At present we assume secure communcaton between CH and CNs. The operaton of AIDP s llustrated n Fg.. When the networ s establshed, the CH contnuously gathers nformaton and apples the AIDP tranng module for N tme ntervals (TI), resultng n an ntal tranng profle (ITP). The ITP reflects the normal behavour of the nodes n the networ. In the testng phase the CH then apples the

3 Fgure. Tme-based operaton of AIDP. testng module after each TI. Ths test conssts of several tass, the frst of whch detects ntruson. If there s no ntruson then t updates the ITP n order to adapt the varaton n the networ behavour as tme progresses. If there s ntruson n the second tas the CH dentfes the ntrudng nodes. To optmse the probablty of dentfyng ntruders correctly wth a low level of false postves, t mantans a test sldng wndow (TSW), n whch d detectons of a node are requred n P tme ntervals (TI). If ths detecton threshold s passed then the CH wll Blaclst (BL) the node and solate the node by nformng all CNs. 4. AIDP Algorthm We now explan the tranng and testng module of AIDP. Tranng Module: Whle s less than equal to N.CH collects the number of RREQ receved X by CN from all other CNs tang nto account TTL values n TI.. Calculate the probablty dstrbuton P( X ) end whle.calculate mean X of P(X ) for = to N.Store results as ITF.. Ext Fgure. Pseudocode of tranng module. In Fg. X ={X, X, X3,,X M } s a set of random varables representng the number of RREQs receved by all CNs n the th TI, where M s the maxmum number of RREQs receved n a TI. Ths ncludes both the RREQ pacets generated by the source nodes and those RREQ pacets forwarded by ntermedate nodes. The probablty dstrbuton of X s calculated for the TI, and ths process s then repeated for the N tme ntervals n the tranng phase. We then calculate mean X of P(X ) for N ntervals, whch s stored as an ITP contanng the expected values for that partcular networ observed for the total tme of N * TI seconds. The tranng module pseudocode can of course be generalzed to collect other parameters. Testng Module: a) Detectng Intruson & Callng other Modules.CH sets TSW to P number of TI.CH Montor the networ for TI Do after each TI. CH collects number of RREQ receved X from all other CNs n TI.. Calculate the probablty dstrbuton P(X ).Calculate average of P(X ).Store X as Observed values.. End do.ch Apples the ch-square test by frst Calculatng Ch computed ( χ ).Hypothess Testng H o: Observed dstrbuton of X fts the expected H a: Observed dstrbuton of X does not ft expected.if (ch-computed (.d.f) > P-value (.d.f)) then Reject H o & call: LND= Intruder-Identfcaton(nodes V ) For all nodes V n LND (Lst of Nodes Detected). If ( V detectons n PIL > Detectons_To_ Accuse) CH: Blaclst V & Broadcast AccusatonPacet(AP) else : enter V n PIL endf. else : Update Expected values X (TP).Ext b).calculate RREQ generated by V for = to n (n=number of nodes).calculate standard devaton of V.set Contol Lne (CL).set Upper Control Lmt (UCL) & lower control lmt(lcl) For V = to n If (RREQ generated by V )> UCL add V to LND. endf.endfor.return (LND) & Ext c). each CN V mantan ts local BlaclstTable (BLT).f CN V receve an AP for CN V j.if CN V has node V j n ts BLT Ignore AP else CN add node V j to ts BLT & rebroadcast AP d).f node V receve pacet from node V j.if node V j s n node V BLT Ignore pacet & drop all pacet queued from V j Else : handle & process pacet Fgure 3. Pseudocode of testng module. Fg.3 shows the pseudocode of the testng module. After montorng the networ for one TI, the CH uses the ch-square test to dentfy any ntruson. Ths test determnes how well the observed model fts wth the expected. N ( X X ) χ = () = X Equaton s the specfc form of the test n whch X s the observed and X s the expected value of the th varable. After calculatng the ch-computed value the CH performs hypothess testng by settng the null hypothess H o and alternatve hypothess H a as shown n Fg.3a. The crtcal P-value s calculated at gven level of sgnfcance () and degree of freedom (d.f). To llustrate the operaton of the algorthm we have chosen the standard value of =5% (.e. a confdence nterval of 95%). The d.f s the number of classes of X (.e. the number of groups n whch the frequency of RREQ s dvded) beng tested whch s n our case s determned by the testng module of AIDP for each TI at run tme. If calculated ch-computed value s larger than the crtcal value then we reject H o,and assume ntruson n the TI. We then use ntruder-dentfcaton tas (Fg.3b) to dentfy the ndvdual ntrudng node. Ths uses varable control chart based on standard devaton. We calculate of RREQ generated by all nodes then set the CL=, UCL=CL + 3& LCL= mnmum [, CL - 3 ]. We choose 3 lmts because we now that for a normal dstrbuton 99.7% of the observaton les wthn + 3 lmts. We consder node to be a detected ntruder f t ntates more RREQs than the UCL, n whch case we add node to the potental ntruder lst (PIL) mantaned by CH. If any node s detected more than

4 P ercen tag e o f D etecto n (% ) DoS attac through MRF & (5 nodes networ) MRF : Success Rate MRF : False Postve d tmes n P ntervals (the threshold for accusaton Detecton_to_Accuse) then the CH blaclsts the node and nform all other CNs by sendng an accusaton pacet (AP). When a CN receves an AP t frst checs the broadcast d & source address to avod processng a duplcate AP. If the accused node s already blaclsted the CN wll gnore & drop the AP to prevent unnecessary networ traffc. Otherwse, the CN wll blaclst the accused node and rebroadcast the AP. Fnally, to solate the ntruder form the networ all nodes wll not only drop the pacets from a blaclsted node but also mmedately gnore all pacets n ther queue from the blaclsted nodes as shown n Fg.3d. If no ntruson s detected by the ch-square test (Fg.3a) then we updates the tranng profle usng an exponentally weghted movng average (EWMA) as gven n equaton, X( J, I ) = α X + ( α) X ( ) ( J, I ) () ( J, I ) MRF : Success Rate MRF : False Postve Nodes Mean Speed (m/s) Fgure 4. Success and false alarm rate as a functon of node mean speed n a 5, 49 & 64 nodes networ. J, I () where X ( J, I ) and X represents the expected and observed value for update perod number (J) respectvely. The value of J s ncremented n the TI when no ntruson n the MANET s detected. I represent the random varable from to and α = s the weghtng factor. As J ncreases the ( J ) weghtng for older data ponts decreases exponentally gvng more mportance to the current observaton. The updated expected profle model reflects the current behavour of the networ. Ths s mportant for adaptve ID n MANET where overall behavour of the networ changes wth tme. 5. EVALUATION 5. Smulaton Envronment We use GloMoSm to assess the performance of AIDP. We buld the smulaton envronment by assumng that the MAC and Physcal layer are relable n ther operatons. Table shows the smulaton parameters for all scenaros. The nodes are ntally placed at the start of smulaton n a rectangular grd. The terran dmenson values n Table ensure node densty s constant between all three scenaros. We assume a sngle cluster n our smulatons, and we use the random way pont (RWP) as moblty model. 5. Assessment of control chart as an Intruson Detector In frst set of experments we use only control chart based on standard devaton to detect DoS. The CH montors the networ for a TI and then apples control chart based on on the number of Percentage of D etectons (% ) DoS attac through MRF & (49 nodes networ) MRF :Success Rate MRF :Fale Postve MRF : Success Rate MRF : False Postve Nodes mean speed(m/s) Table. Smulaton Parameters Number of nodes Terran dmensons 4*4 m 56*56 m 64*64 m Number of ntruders or Node placement Grd wth grd unt= metres Tme nterval TI Smulaton tme Routng protocol seconds Tranng + Testng =5+=5 seconds AODV MAC protocol IEEE 8. Moblty Pause tme Mean speed P ercen tag e o f D etecto n (% ) Random Way Pont Model (RWP) Vares from to 6 seconds Vares from to m/s RREQs generated by all nodes. The CH calculates the CL, UCL & LCL (Fg.3b). The CH wll detect as ntruder any node V that generates more RREQ than the UCL. Ths process s repeated by the CH for each TI. We perform runs frst wth normal traffc (.e. no ntruson n the networ) and then a further runs wth one ntruder pced randomly from the nodes. Ths ntruder launches MRF attacs n order to cause DoS by sleep deprvaton and rushng attac. Smulaton wth 5, 49 & 64 nodes results n an average successful dentfcaton rate of 7%, but also has a very hgh average false alarm rate (.e. detectng a node as an ntruder when there s no ntruson n the networ ) of 55%. 5.3 Evaluaton of AIDP DoS attac through MRF & (64 nodes networ) MRF : Success Rate MRF : False Postve MRF : Success Rate MRF : False Postve Node Mean speed (m/s) In ths secton we present the results from AIDP. We expermented wth all three scenaros (5, 49&64 nodes) usng the parameters of Table. By ntroducng the ch-square test n addton to control chart the ndvdual dentfcaton rate rses to 86% and the false alarm rate drops to 5% for a test n a sngle TI. Ths sgnfcantly mproves the detecton rate. In smulaton for AIDP the CH apples the tranng module (Fg.) for N=5 TI, and then apples the testng module (Fg.3) for TI each of seconds. We llustrate results here wth TSW=5 and Detecton_to_Accuse=3. We perform runs wth each scenaro (5, 49 & 64 nodes) wth normal traffc usng the smulaton parameters of Table and then wth ntruders pced randomly from the nodes. These ntruders launch MRF & attacs n order to cause DoS by sleep deprvaton and rushng attac. At each tested mean speed we perform runs wth no ntruders and runs wth one ntruder usng MRF and runs wth on ntruder usng MRF.

5 Num ber of Con trol per Data pacets Delvered Control Pacet Overhead 5 nodes networ No DoS attac DoS attac & no protecton DoS attac wth AIDP n place Nodes Mean Speed ( m/s ) N u m b er o f C o n tro l p e r Data pacet delvered Fg. 4 depct the success rate (SR) and false alarm (FA) rate of AIDP as a functon of the nodes mean speed n 5,49 & 64 node networs.by SR here we mean the rate of correctly ndcatng ntruson n the networ and then dentfyng & solatng the node whch s causng DoS. A false alarm (FA) means that a correctly behavng node has been ncorrectly dentfed and solated. When there s no ntruson n the networ the FA are zero n all three scenaros. The graphs show good performance of AIDP n terms of hgh SR and very low FA rate aganst DoS attacs through MRF &. The SR drops slghtly n the 64 node networ when the nodes are movng wth a hgher mean speed. Effects on networ performance To analyze the performance mpact of AIDP on the networ we montor control & data pacets durng our smulatons. Fg 5 depcts the control pacet overhead as functons of ncreasng mean node speed n 5, 49 & 64 nodes networ. By control pacet overhead we mean the rato of the number of control pacets to the delvered data pacets durng the smulatons. Each graph dsplays the control pacet overhead when there s a) no DoS attac n the networ b) ntruson n the networ (DoS attac) but no means of defendng these attacs, and c) ntruson (DoS attacs) wth AIDP n place to protect the networ. As can be seen from the graphs AIDP reduces the control pacet overhead & conversely ncreases the networ throughput when t s used n a networ under attac by ntruder causng DoS. However, the control pacet overhead s not as low as that of a networ when there s no ntruson because AIDP also needs control pacets for IDP n the networ. CONCLUSION & FUTURE WORK The on-demand nature of MANET routng protocols maes them susceptble to DoS attacs, such as sleep deprvaton and rushng attac. In ths paper we have llustrated how ntruders can cause DoS attacs n MANETs. We consder the sutablty of usng only control chart to protect aganst these attacs, and demonstrated that ths method based on statc threshold smlar that proposed n [8] & [9] s not sutable because t does not cope well wth the dynamcs of MANETs. We then proposed an adaptve ntruson detecton & preventon mechansm AIDP. It employs ABID whch frst use ch-square test to chec the overall behavour of the networ and ndcate ntruson, and then uses control chart to dentfy ntrudng nodes. Fnally we solate the ntrudng nodes. Smulaton results show that AIDP successfully detects dentfes & solates the ntrudng nodes attemptng to cause DoS attacs. AIDP exhbts a hgh success rate and very low false alarm rate wth an affordable processng overhead on the networ over a range of scenaros tested Control Pacet Overhead 49 nodes networ No DoS attac n the networ DoS attac & no protecton DoS attac wth AIDP n place Nodes mean speed(m/s) Fgure 5. Control pacet overhead Vs nodes mean speed n a 5, 49 & 64 nodes networ. N u mb e r o f C o n tro l p er Data pacets delvered Control Pacet Overhead 64 nodes No DoS attac n the networ DoS attac & no protecton DoS attac wth AIDP n place Nodes mean speed (m/s) In our ongong wor we are focusng on generalzng AIDP by ncludng other related parameters to cover all routng attacs n MANET. 6. REFERENCES [] Z.L, A.Das, and J.Zhou, Theoretcal Bass for Intruson Detecton, IEEE Proc, Informaton Assurance and Securty, pp 84-9, 5-7 June 5. [] Leonard.A.Doty, Statstcal Process Control, nd ed, 996. [3] H.O.Lancaster, The Ch-Squared Dstrbuton, Wlley Publcatons n Statstcs 969. [4] Y.Hu, B.Johnson and A.Perrg, SEAD: secure effcent dstance vector routng for moble wreless ad hoc networs, Ad hoc Networs, Vol., pp 75-9, 3. [5] K.Sanzgr and M.Beldng-Royer A Secure Routng Protocol for Ad Hoc networs, Proc, th IEEE ICNP,. [6] Y.Hu, A.Perrg and B.Johnson, A Secure On Demand Routng Protocol for Ad-Hoc networs,proc, MobCom, pp 3-8, September. [7] W.Wang, Y.Lu and K.Bhargava, On Vulnerablty and Protecton of Ad Hoc On Demand Dstance Vector Protocol, IEEE Proc, ICT, Vol., pp , 3. [8] P.Y, Z.Da and S.Zhang, Resstng Floodng Attac n Ad Hoc Networs,IEEE Conference on Codng & Computng, Aprl 5. [9] W.Yu and K.Ray, Defence aganst Injectng Traffc Attac n Cooperatve Ad Hoc networs, IEEE Global Telecommuncaton Conference,Globecom, 5. [] Y.Zhang and W.Lee, Intruson Detecton n Wreless Ad-Hoc Networs, Proc, 6 th, ACM MOBICOM,. [] D.Nguyen, Das, Mem and Choudhary, A Reconfgurable Archtecture for Networ Intruson Detecton Usng Prncpal Component Analyss, ACM Int Symposum on Feld Programmable Gate Arrays, 6. [] N.Ye, X.L,,M.Emran and M.Xu, Probablstc Technques for Intruson Detecton Based on Computer Audt Data, IEEE Transacton on Systems, Man & Cybernetcs,. [3] N.Ye and Q.Chen, An Anomaly Detecton Technques based on a CHI-SQUARE Statstcs for Detectng Intruson nto Informaton System Qualty and Relablty Engneerng Internatonal,. [4] M.Prrete and R.Broos, The Sleep Deprvaton Attac n Sensor Networs: Analyss and Methods of Defence, Int Journal of Dstrbuted Sensor Networs, Vol., No.3, pp 67-87, 6. [5] Y.Hu, A.Perrg and B.Johnson, Rushng Attac and Defence n Wreless Ad Hoc Networs Routng Protocol, nd ACM Worshop on Wreless Securty, pp 3-4, 3. [6] C.Perns, Ad Hoc On Demand Dstance Vector (AODV) Routng, RFC 356, July 3. [7] KDD data set, 999, can be accessed at