21 CHAPTER 1 INTRODUCTION 1.1 PREAMBLE Wireless ad-hoc network is an autonomous system of wireless nodes connected by wireless links. Wireless ad-hoc network provides a communication over the shared wireless channel without the support of fixed infrastructure or access point. The self-organizing property of wireless ad-hoc network provides an extremely flexible method for establishing communications in situations where geographical or terrestrial constraints demand totally distributed network, such as battlefields, emergency and disaster areas. Wireless ad- hoc networks are totally dependent on collective participation of all nodes in routing of information through the network. With rapid deployment of wireless ad-hoc network, security has become one of the major problems that wireless ad-hoc networks face today. Wireless transmissions in ad-hoc network are subject to active attacks and passive attacks. Attackers can mount attacks against different layers of the network protocol stack to either comprise individual node(s) or degrade the performance of the entire ad-hoc network. To secure ad-hoc networks, either prevention or detection mechanism, or combinations of both strategies have been used. The traditional way of protecting with firewall and prevention mechanism such as encryption is no longer sufficient and effective. Intrusion
22 detection is one of key techniques behind protecting the wireless ad-hoc network against intrusions. Traditionally intrusion detection techniques are divided into misuse intrusion detection and anomaly intrusion detection. Misuse intrusion detection is a mechanism which identifies intrusion by searching for various intrusion / attack patterns which matches the signature stored in the knowledge base of known intrusions. It can detect only those intrusions which are defined in the knowledge base. The advantage of misuse intrusion detection is high detection rate and low false alarm rate for known attacks. But it suffers from low detection rate for unknown attacks and new vulnerabilities. The misuse detection is not successful in wireless ad hoc network due to the lack of centralized monitoring and management point, the difficulty of distributing and updating signatures of known attacks (Liu et al 2005, Wenjia Li and Anupam Joshi 2006). Thus alternative approaches like anomaly detection that can more effectively detect new vulnerabilities and unknown attacks in the wireless ad-hoc network. 1.2 LITERATURE REVIEW With the rapid proliferation of wireless networks and mobile computing applications, new vulnerabilities that do not exist in wired networks have appeared. Security poses a serious challenge in deploying wireless networks in reality. However, the vast difference between wired and wireless networks make traditional intrusion detection techniques inapplicable. Wireless IDSs, emerging as a current research topic, aim at developing new architecture and mechanisms to protect the wireless networks. Numerous research works are carried out to develop intrusion
23 detection system and improve the performance of intrusion detection for wireless ad-hoc network. The following are some of literatures related to the work. 1.2.1 Intrusion Detection Intrusion detection means identifying any set of actions that attempt to compromise the integrity, confidentiality and availability of resource. It is a security technology that attempts to identify individuals who are trying to break into and misuse a system without authorization and those who have legitimate access to the system but are abusing their privileges. The first model of intrusion detection was developed by Denning (1987) which is independent of the system, type of input and the specific intrusion to be monitored. There are two types of intrusion detection systems for wireless ad-hoc network. 1) Misuse intrusion detection system 2) Anomaly intrusion detections system 1.2.1.1 Wireless Misuse Intrusion Detection Misuse intrusion detection for wireless ad hoc network operates on a database of known attack signatures and system vulnerabilities. When intrusion detection system (IDS) analyzer identifies an activity matching a signature that is stored in the database, an alarm is triggered. The triggered alarms are meaningful because the attack signatures contain the diagnostic information about the cause of the alarm (Gong et al.2005, Xiao et al. 2005).
24 The advantages of misuse intrusion detection include that they may have very low false alarm ratio. Disadvantages are its completeness is not good because the attack signature databases and system vulnerabilities need to be kept up-to-date. This is a tedious task because new attacks and system vulnerabilities are detected on a daily basis. Careful analysis of the vulnerabilities is also time-consuming. Misuse intrusion detection also faces the generalization issues because most of the knowledge of the attacks is focused on the different versions of operating systems and applications. It is clear that misuse intrusion detection systems are not suitable for wireless ad-hoc environment due to lack of distribution and updating the intrusion signatures. 1.2.1.2 Wireless Anomaly Intrusion Detection Anomaly intrusion detection assumes that an intrusion can be detected by observing a deviation from normal or expected behavior of the systems or users. Normalcy is defined by the previously observed subject behavior, which is usually created during a training phase. The normal profile is later compared with the current activity. If a deviation is observed, IDS flag the unusual activity and generate an alarm. The advantages of anomaly intrusion detection include that they might be complete to detect attacks, i.e., they can detect attempts that try to exploit new and unforeseen vulnerabilities. They are also less systemdependent (Zhang et al 2003, Anantvalee et al 2006). Anomaly detection systems can detect unknown intrusion since they require no a priori knowledge about specific intrusions. Statistical-based approaches also have the added advantage of being adaptive to evolving user and system behavior since updating the
25 statistical measures is relatively easy (Zhang et al 2003, Anantvalee et al 2006). Most of current research works on IDS for wireless ad-hoc network employ both distributed and cooperative architecture and focusing on anomaly based intrusion detection. Here are some of literature reviews given below Yonguang and Lee (2000) described the first distributed and cooperative anomaly-based IDS framework. Authors pointed out the placement of intrusion detection module in all networking layers. They use RIPPER algorithm for classification. The IDS detect the intrusions like abnormal routing table updates and attacks. They pointed out the various attacks that are possible at different layers of the protocol stack. Hutchins et.al (2002) examined a high speed campus wireless network and analyzed traffic patterns of wireless network. The online user behavior was studied. Zhang (2003) et al. focuses on detecting intrusion or anomalous behaviors in WLANs with data cluster techniques. Most of current research works are focusing on anomaly intrusion detection using profile of different layers of wireless node. Here some of research works are given below using network layer profile and MAC layer profile. 1.2.1.2.1 Network layer feature set Watchdog and pathrater approach, discussed by Marti et al. (2000), introduces two related techniques to detect and isolate misbehaving nodes, which are nodes that do not forward packets. In the watchdog approach, a node forwarding a packet verifies the next hop also forwards it. If not, a failure tally is incremented and misbehavior
26 will be recognized if the tally exceeds certain threshold. The pathrater module then utilizes this knowledge of misbehaving nodes to avoid them in path selection. The approach is limited in several aspects. First of all, overhearing does not always work in case of collisions or weak signals. Secondly, pathrater actually awards the misbehaving node, if its motivation comes from selfishness, i.e., not serving others can reduce its battery power consumption. It does not prevent the misbehaving node from sending or receiving its own packets. it shows that if 10%-40% of the nodes in the network behave, then average throughput degrades by 16%-32%. However, the worst case throughput experienced by any one node may be worse than the average, because nodes that try to route through a misbehaving node experience high loss while other nodes experience no loss. Thus, even a few misbehaving nodes can have a severe impact. The consequence of node misbehavior impacts the performance of underlying network. So misbehaving node can be a significant problem. Buchegger et al. (2002) extends Marti's approach in numerous ways. Misbehaving nodes are not only excluded from forwarding routes, but also from requesting their own routes. Also, it includes a trust manager to evaluate the level of trust of alert reports and a reputation system to rate each node. Only reports from trusted sources are processed. However, trust management in mobile ad-hoc networks (MANETs) has not been well studied yet. For example, it is not clear how fast the trust level can be adjusted for a compromised node, especially if it has a high trust level initially.
27 Huang and Lee (2003) describe cluster based anomaly detection. They use network layer statistical features set for anomaly intrusion detection. However, due to the use of network layer statistical features, their system is unable to localize the attack source unless the identified attack occurred within one hop. Tseng et al. (2003) proposed specification-based detection techniques. They analyze various attacks against Ad hoc On Demand Distance Vector (AODV) protocol. The IDS correct AODV routing misbehavior and build on a distributed network monitor architecture that trace AODV request-reply flows. From this literature survey, it shows that network layer profile is unable to localize the attacks or it requires modification of core routing protocol 1.2.1.2.2 MAC layer feature set Gupta et al. (2002) study simple Denial of Service (DoS) attacks at the MAC layer, show their dependence on attacker traffic patterns and deduce that the use of MAC layer fairness can mitigate the effect of such attacks. Kyasanur and Vaidya (2005) propose modification of IEEE 802.11 to integrate a receiver-initiated back off penalty period built into the existing contention mechanism to ensure that selfish nodes cannot gain an unfair share of the bandwidth. Such schemes will help prevent unfair contention resolution, but will remain susceptible to attacks from colluding adversaries. Also, these schemes require changing the core MAC protocols themselves. Further, nodes that launch attacks at multiple networking layers will remain elusive. Malicious nodes seeking
28 to disrupt traffic or to shape traffic can effectively use a DoS attack at the MAC level that will go undetected. Sung et al. (2003) addresses the issue of identifying important input features in building an intrusion detection system. Since elimination of the insignificant and/or useless inputs leads to a simplification of the problem, faster and more accurate detection may result. Raya (2004) focus on MAC layer misbehavior in wireless hotspot communities. Although in some cases the method can be deceived by cheating peers. Liu et al (2005) proposed node based intrusion detection for wireless ad-hoc networks. They introduce two feature sets that correlate information from MAC layer and network layer to profile normal behaviors of wireless nodes and adapt a rule-based data mining technique for anomaly detection. They investigate the use of MAC layer traffic data to characterize normal behaviors in the neighborhood of a wireless node and to detect misbehaving nodes through MAC layer anomalies. They use two data mining techniques for the feature sets. Balachandran et al. (2006) presented a model based on behavior-based intrusion detection technique using MAC layer data and network layer data, so heavy data volume may be encountered and it also works only with specific routing protocol. From the literature survey, it shows that anomaly intrusion detection using MAC layer requires modification of core MAC protocol or some of attacks may be undetected at MAC layer or heavy data volume encountered. Also it has been found that most of above
29 mentioned literature reviews are anomaly detection using any of machine learning techniques which use profile from either MAC layer or networks layer to learn behavior of node. In this thesis, feature set of network layer and MAC layer has been taken to profile the normal behavior of wireless node for anomaly intrusion detection. 1.3 PROBLEM FORMULATION Anomaly intrusion detection is a mechanism which identifies intrusion through the observation of deviation from normal behavior pattern of any node or any network. Anomaly detection is able to detect novel attacks because it does not assume prior knowledge of attack patterns. This thesis focus on wireless node behavior based anomaly detection mechanism. From the network point of view, anomaly detection techniques for ad-hoc networks depend on the characterization of normal behavior pattern of wireless nodes. In ad-hoc networks, each node relay on other nodes to transfer the data which implies more battery power and processing power usage (Wenjia Li and Anupam Joshi 2006). As the resources are limited, this can cause some nodes to have misbehavior. Such misbehavior can have serious impact on the entire network (Marti et al.2000, Anantvalee et al 2006, Liu et al 2005). Thus, it is important to identify the misbehaving nodes and define the mechanism to prevent and deal with them. A genuine wireless node shows regularities in wireless transmissions, which can be captured and used for characterization. Deviations from the characteristic behavior pattern of a wireless node can be reported as potential intrusions. But it requires that the wireless node behavior is modeled either on an individual node or group basis in
30 such a way that the model captures the essence of wireless node behavior. Liu et al (2005) introduced two feature sets that correlate information from MAC layer and network layer to profile normal behaviors of wireless nodes and adapt a rule-based data mining technique for anomaly detection. They use two data mining techniques which are applied to two independent feature set. Any anomaly intrusion detection does not require two independent feature set and also need not to have two data mining techniques to detect the specific attacks in wireless ad-hoc network. Instead of detecting specific attack scenarios, this thesis extracts the features of MAC layer and network layer that are likely to take part in an attack. This provides higher flexibility since a feature can be relevant for more than one attack or is prone to be abused by an unknown attack. Moreover, there is need of only one IDS to perform the detection. Finally, in this way the total amount of data to be processed by the IDS is highly reduced. Consequently, the amount of time spent for offline training of the system and afterwards the time spent for attacks detection are also reduced. In this thesis, the combination of network layer and MAC layer features are used to profile the behavior of wireless nodes for anomaly intrusion detection. As energy resources are limited in ad-hoc networks, it is not efficient to use a large feature set from MAC layer and network layer profile to characterize normal behaviors of wireless nodes (Liu et al 2005, Anantvalee et al 2006). A minimal feature set from the combination of MAC layer and network layer is proposed in this work which describes the behavior of wireless node. This thesis introduces regular feature set and random feature set of combined layer i.e MAC layer and network layer. Anomaly intrusion detection for wireless ad-hoc
31 network can be used to solve the completeness problem i.e. distributing and updating signatures in misuse intrusion detection. But it suffers high false alarm. This problem can be addressed through the use of machine learning techniques to learn the wireless node behavior in anomaly intrusion detection. Hence genetic algorithm is used as machine learning techniques in this thesis. Threshold based detection method has been used in this thesis. Single index threshold and combined index threshold have been proposed. The goal of research work is to use the efficient approaches to improve the performance of anomaly intrusion detection for wireless adhoc networks 1.4 OBJECTIVES The objectives of this research are summarized below: To design a wireless node behavior based anomaly intrusion detection technique o To construct a minimal feature set from the combination of MAC layer and network layer in the wireless ad hoc network o To introduce type of feature sets namely regular feature set and random feature set of combined layer i.e MAC and network layer To classify and analyze the behavior of the wireless node, employing genetic algorithm
32 o To analyze the normal and abnormal behavior of the wireless node, behavioral indices have been introduced. o To detect the intrusive behavior of the wireless, single index threshold and combined index threshold based detection have been proposed. To evaluate the performance of anomaly intrusion detection system for wireless ad hoc network using combined layer ( MAC and Network layer) of regular feature set and random feature set using behavioral indices 1.5 ORGANIZATION OF THE THESIS The research presented in this thesis attempts to address security problems in wireless ad-hoc network. Chapter-II gives a detailed design work of anomaly intrusion detection and feature set construction using MAC layer and network layer. Chapter-III describes the framework of genetic based anomaly intrusion detection system using genetic algorithm and elucidates wireless node behavior characterization, introduces four behavior indices. Chapter IV describes the experimental studies of anomaly intrusion detection using genetic algorithm. Chapter-V describes the performance evaluation of anomaly intrusion detection. Chapter-IV gives the conclusion and ideas for future work.