Vulnerabilities of Intrusion Detection Systems in Mobile Ad-hoc Networks - The routing problem Ernesto Jiménez Caballero Helsinki University of Technology erjica@gmail.com Abstract intrusion detection systems is one of the most active fields of research in Mobile Ad-hoc Network s (MANET) field. This systems are usually focused on detecting problems with the routing systems to prevent DoS and Man-in-the-middle and, despite of the amount of papers written which try to solve, many of them are just theoretical and have only been proved in simulations. In addition, most of them have common deficiencies. This paper reviews attacks against MANETs routing systems performed by intruders, some systems proposed to detect them, and their deficiencies. KEYWORDS: MANET, Routing, intrusion detection systems, Deficiencies 1 Introduction A wireless ad-hoc network is a group of devices which are connected without a fixed infrastructure such as access points or base stations. This lack of infrastructure supposes the devices in the routing system, creating multi-hop wireless paths linking nodes with those which are out of their wireless range. This kind of networks without fixed infrastructure and high mobility are ideal for places such as battlefield, and for establishing communications after natural disasters. However, in these environments network security becomes critical. For this reason several research studies have been focused in ad-hoc security, which include intrusion prevention and intrusion detection systems. The prevention should prevent unauthorized access to the network; however, this is not always possible, and this risk enforces the implementation of a second line of defense: intrusion detection. Traditional intrusion detection systems (IDS) in wired networks analyze the behavior of the elements in the network trying to identify anomalies produced by intruders and, once identified, start a response against the intruders. These detection systems are usually placed in those elements with more confluent traffic such as routers, gateways, and switches. Unfortunately, in ad-hoc networks, those elements are not uses, and it is not possible to guess which nodes will route more traffic from its neighbors and install IDS systems only in those nodes. This is the reason justifying the proposal from Zhang [9] of a distributed intrusion detection system where every host in the network investigates possible misbehaves of their neighbors. One of the most important things to secure in the adhoc networks is the routing system. Attacks against this part of the network system can conclude in Denial-ofservice (DoS) or man-in-the-middle. Because of this, several researches done in this field have focused on those routing systems and how to detect misbehavior from the nodes and differentiate if the misbehavior is produced by an intruder or, in the other hand, if is the normal misbehave in mobile wireless networks (e.g. lack of signal, routing tables not updated). However, most of the studies have some important deficiencies in their systems ignoring some attacks that can be performed by an intruder without being detected by their systems. Our goal with this article is to review the possible attacks against the routing system, some of the IDSs proposed and their deficiencies. 2 Background 2.1 Routing systems in ad-hoc Routing systems can be classified into three different groups: proactive, reactive, and hybrid systems. In proactive systems the nodes broadcast information about their routing tables periodically, every node stores the different routes to reach each node from the network. By contrast, in reactive systems nodes requests their neighbors to find a route only when it has a package to send. Finally, hybrid systems combine both techniques in the same system. Several protocols for routing in ad-hoc networks have been presented. However, these systems usually implement no safeguards trusting in those safeguards
added in upper layers. This lack of security might be acceptable thinking in intrusion prevention, but, when we start thinking in intrusion detection we must assume that security in upper layers is not enough. Furthermore, when an attacker reaches a MANET with an insecure routing system he gains might gain control over all the networks and perform several attacks against the nodes. Figure 1: MANET example 2.2 Attacks against routing system In this section we will review some common attacks performed by intruders altering the routing tables from the legitimate nodes. This type of attacks are common because, as we said in the previous section, most of the routing systems are insecure and once the attacker reaches the network, he can alter the routes to have more control on the other nodes. Figure 1 shows three legitimate nodes (A, B, and C) connected in an ad-hoc network and an intruder node Z which will perform the attacks. This figure will be used to illustrate the different attacks bellow explained. Black Hole Routers [2][3][4] [5][1]: This is a Denial of Service attack, where the malicious node (Z) listens when a legitimate node (A) requests a route to reach another node (C). When Z node has this information claims to be the shortest path to reach C, as result of that, A sends its packages to Z expecting to reach C, but Z does not forward the packages to C. Its consequences can go from having one node disconnected from the rest of the network (A is the only node under suffering the attack), to all the nodes in the network relaying on the malicious node and being totally disconnected to each other. Grey Hole Routers [7]: This attack is an small variation from the Black Hole router attack. In opposition to the Black Hole routers, Grey Hole routers do not drop all the packages. With this half-dropping the intruder tries to hide the attack by not denying all the network services. This attack is harder to identify because this reduction of network capabilities could be produced by the normal instability from wireless connections. Resource exhaustion [2][7]: When Z has reached the network and has access to the routing system he can flood the network with routing messages. These messages vary according to the system, if it is a proactive system the attacker would send the broadcast messages. In the other hand, if the system is reactive, he would send requests to reach other nodes. No matter the system, the main idea in this attack is to reduce as much as possible the network capabilities making the nodes work with the routing system. The consequences are not only for the network capabilities, if the nodes update constantly their routing tables they would spend CPU cycles and waste more battery. Man-in-the-middle: In MANETs an intruder can attack de routing system to perform a man-in-themiddle attack. While in wired networks you can do ARP poisoning (claiming to be a different node in order to redirect all his traffic through yourself), in MANETs the intruder can claim to be the shortest path to all the node and get all the traffic from his neighbors (like in the Black Hole attack). 3 intrusion detection systems As a consequence from the lack of security of routing system, This section briefly describes four intrusion detection systems for wireless ad-hoc networks. These systems have been chosen because of their focus on detecting intruders attacking the routing system. Watchdog [6]: The main idea from this IDS is that, because the node listened its neighbor claiming to be the shortest path, he also can listen how the node routes his information. For doing this the node sends its packages to the node who claimed to be the shortest path to its target node, once the node sends the package he switches into promiscuous mode in order to listen the transmissions from his neighbors and check if his router forwards the packages. With the information about the behav-
ior from its neighbor the node can deduce if they could be Black or Grey Hole routers. Pathrater [6]: In Pathrater system each node uses the information from systems such as Watchdog to rate its neighbors. These rates establish the trustability of each node according to its behavior and allow the node to choose in which nodes can he trust and which ones he has to ignore. Routeguard [2]: This system combines Watchdog and Pathrater to classify each neighbor node as: Fresh, Member, Unstable, Suspect, or Malicious. The class of each node depends on the ratings obtained from the watchdog according to its behavior. Furthermore, each class or tag implies a different trust level which goes from trusted (Member), which allows the node to participate in the network, to completely untrusted (Malicious), which gets banned from the network. Hop-by-hop signing [8]: This system proposed a secure routing system which would allow intrusion detection. The paper reviews different public key management protocols for MANETs. This public key infrastructure provides every node public key encryption and signatures. According the structure presented in Fig. 1, A could send signed packages to C through B, and C could verify that the package came from A. Finally, watchdog technique is presented as a solution to prevent denialof-service attacks such ash Black and Grey Hole routers. However, this system is thought for short paths (one or two hops as maximum). Patwardhan secure routing and intrusion detection system [7]: This paper presented a proof of concept where they implemented a secure routing protocol using public key encryption, intrusion detection, and a reaction system. The system implements a secured routing protocol adding public key signatures to verify the ownership of the messages. By addition, it has an intrusion detection system where each node monitors its neighbors in promiscuous mode listening their routing activity. When a node claiming to be a router, is detected misbehaving, the detection system marks the node as malicious node and the reaction system isolates the node from the ad-hoc network. 4 Deficiencies in proposed systems The intrusion detection systems described in Section 3 had good results in simulations. These type of scenarios can help to test the overhead of the protocols and its effectiveness. However, this effectiveness is always evaluated according to the initial assumptions from the researchers and they might neglect some important points. In this section we will expose some of these unconsidered points. 4.1 Public key overhead Some complex IDS architectures (such as Hop-by-hop signing [8] and Patwardhan secure routing [7]) require public-key encryption operations in each node. This improves the security from the systems adding all the advantages from the public key cryptography. However, public-key cryptography implies a higher overhead for each operation because of its efficiency. This higher overhead for the operations facilitates Resource Exhaustion attacks. A network wit a routing system secured with public key encryption would be more vulnerable to a Resource Exhaustion attack. A malicious node might flood the network, nodes would spend more resources per package because of the cyphering operations and this would help the denial-ofservice attack. 4.2 Node impersonation intrusion detection systems (such as Routeguard [2] and Patwardhan IDS [7]) include reaction systems which pretend to isolate malicious nodes from the rest of the Ad-Hoc network. These reaction systems require higher security for preventing node impersonation. As we explained in Section 3, Routeguard gathers information about routing behavior from the nodes, this information is used to detect malicious nodes and react isolating them from the rest of the network. However, if the routing system is not secure and cannot verify the identity from the node, a malicious node could impersonate a legitimate node and misbehave when routing packages, this misbehavior would conclude with the system isolating the legitimate node. 4.3 Directional antennas All the reviewed intrusion detection systems assume that every node transmits with an omnidirectional antenna. This assumption is the base for the Watchdog system. Furthermore, as shown in Section 3, many IDSs use Watchdog technic for detecting intrusions. Fig. 2 illustrates a wireless ad-hoc network with an intruder Z aiming with a directional antenna to a legitimate node. When aiming a node, the malicious node can override the Watchdog detection system and perform a Black Hole attack.
Paper from Zhang [8] mentioned in its discussions that Hop-by-hop signing detection system was unable to detect Black Hole routers, and the paper illustrated briefly a proposal for solving this issue. This proposal introduces a third node in promiscuous mode listening the routing communication between its neighbors in order to detect a Black Hole router attack from a malicious node. Nevertheless, the proposal is mentioned to be unsuitable because the malicious node should be in the range of the third node. However, as we showed in Fig. 2, directional antennas can easily prevent the detection. Section 3 has been implemented in a real ad-hoc network with mobile devices. These proves of concept are usually helpful for testing efficiency and vulnerabilities. References [1] S. Cheung and K. Levitt. Protecting routing infrastructures from denial of service using cooperative intrusion detection. Proceedings of the 1997 workshop on New security paradigms, pages 94 106, 1998. [2] A. Hasswa, M. Zulkernine, and H. Hassanein. Routeguard: an intrusion detection and response system for mobile ad hoc networks. Wireless And Mobile Computing, Networking And Communications, 2005.(WiMob 2005), IEEE International Conference on, 3, 2005. [3] Y. Hu, A. Perrig, and D. Johnson. Ariadne: A Secure On-Demand Routing Protocol for Ad Hoc Networks. Wireless Networks, 11(1):21 38, 2005. Figure 2: Intruder with a directional antenna 5 Conclusion Routing system is the most vulnerable point from mobile ad-hoc networks. This vulnerability implies a risk of denial-of-service attacks against certain nodes, or even the whole network, is high. Furthermore, this risk is not acceptable in those scenarios which are more susceptible to implement mobile ad-hoc networks such as those exposed in the introduction: battlefield, and establishing communications after natural disasters. And, as we mentioned in the introduction, security, and specially availability, is critical in those scenarios. This paper briefly described some common deficiencies found in the intrusion detection systems we have reviewed. Further research is needed for improving actual intrusion detection systems for MANETs, and that research should consider the deficiencies presented in Section 4 which were neglected in previous research. Finally, would be interesting to have more development and implementation tasks for this routing protocols and IDSs. Only one of the systems presented in [4] Y. Huang, W. Fan, W. Lee, and P. Yu. Cross- Feature Analysis for Detecting Ad-Hoc Routing Anomalies. Proceedings of the 23rd International Conference on Distributed Computing Systems, 2003. [5] C. Karlof and D. Wagner. Secure routing in wireless sensor networks: attacks and countermeasures. Sensor Network Protocols and Applications, 2003. Proceedings of the First IEEE. 2003 IEEE International Workshop on, pages 113 127, 2003. [6] S. Marti, T. Giuli, K. Lai, and M. Baker. Mitigating routing misbehavior in mobile ad hoc networks. Proceedings of the 6th annual international conference on Mobile computing and networking, pages 255 265, 2000. [7] A. Patwardhan, J. Parker, A. Joshi, M. Iorga, and T. Karygiannis. Secure Routing and Intrusion Detection in Ad Hoc Networks. Third IEEE International Conference on Pervasive Computing and Communications, Kauaii Island, Hawaii, March, pages 8 12, 2005. [8] W. Zhang, R. Rao, G. Cao, and G. Kesidis. Secure routing in ad hoc networks and a related intrusion detection problem. Military Communications Conference, 2003. MILCOM 2003. IEEE, 2, 2003.
[9] Y. Zhang and W. Lee. Intrusion detection in wireless ad-hoc networks. Proceedings of the 6th annual international conference on Mobile computing and networking, pages 275 283, 2000.