An Efficient Method for Detecting Misbehaving Zone Manager in MANET

An Efficient Method for Detecting Misbehaving Zone Manager in MANET Marjan Kuchaki Rafsanjani1, Farzaneh Pakzad2, and Sanaz Asadinia3 1

Department of Computer Engineering, Islamic Azad University Kerman Branch, Kerman, Iran [email protected] 2 Islamic Azad University Tiran Branch, Tiran, Iran [email protected] 3 Islamic Azad University Khurasgan Branch, Young Researchers Club, Khurasgan, Iran [email protected]

Abstract. In recent years, one of the wireless technologies increased tremendously is mobile ad hoc networks (MANETs) in which mobile nodes organize themselves without the help of any predefined infrastructure. MANETs are highly vulnerable to attack due to the open medium, dynamically changing network topology, cooperative algorithms, lack of centralized monitoring, management point and lack of a clear defense line. In this paper, we report our progress in developing intrusion detection (ID) capabilities for MANET. In our proposed scheme, the network with distributed hierarchical architecture is partitioned into zones, so that in each of them there is one zone manager. The zone manager is responsible for monitoring the cluster heads in its zone and cluster heads are in charge of monitoring their members. However, the most important problem is how the trustworthiness of the zone manager can be recognized. So, we propose a scheme in which “honest neighbors” of zone manager specify the validation of their zone manager. These honest neighbors prevent false accusations and also allow manager if it is wrongly misbehaving. However, if the manger repeats its misbehavior, then it will lose its management degree. Therefore, our scheme will be improved intrusion detection and also provide a more reliable network. Keywords: Collaborative algorithm, Honest neighbors, Intrusion detection, Zone manager, Mobile Ad hoc Network (MANET).

1 Introduction A mobile ad hoc network is a wireless network with the characteristics of selforganization and self-configuration, so that it can quickly form a new network without the need for any wired network infrastructure. Nodes within radio range of each other can communicate directly over wireless links, and those that are far apart use other nodes as relays. The network topology frequently changes due to the mobility of mobile nodes as they move in, or move out of their network vicinity [1],[2]. Thus, a T.-h. Kim et al. (Eds.): FGCN 2010, Part II, CCIS 120, pp. 11–21, 2010. © Springer-Verlag Berlin Heidelberg 2010

12

M.K. Rafsanjani, F. Pakzad, and S. Asadinia

MANET is a collection of autonomous nodes that form a dynamic multi-hop radio network with specific purpose in a decentralized manner [1]. Due to this special characteristic, MANETs experience more vulnerability that brings more security concerns and challenges compared to other networks. Moreover due to their open medium, dynamically changing network topology and lacking central monitoring and absence of a clear line of defense, MANET is particularly vulnerable to several types of attacks like passive eavesdropping, active impersonation and denial of services. An intruder that compromises a mobile node in MANET can destroy the communication between the nodes by broadcasting false routing information, providing incorrect link state information and overflowing other nodes with unnecessary routing traffic information. One way of securing a mobile ad hoc network is to apply prevention method such as encryption and authentication, but past experiments have shown that encryption and authentication as intrusion prevention are not sufficient. So, the need arises for a second wall of defense as intrusion detection system [2],[3]. The idea is that when a MANET being intruded, if an intrusion detection system is existed, it could be detected as early as possible, and the MANET could be protected before any extensive harm can be done. Research efforts are going on to develop Intrusion Detection Systems (IDS) to detect intrusion, identify the misbehaving nodes, and isolate them from the rest of the network. Moreover, the presence of a detection system will discourage misbehaving nodes from attempting intrusion in future. Although, it is likely that the intruder will think twice before he attempts to break in it, again in future [4]. However, in most of IDSs, monitoring nodes or cluster heads is supposed to be valid nodes in order to initiate IDS and response systems. But in real world this idea is different and we can face to misbehaving or malicious monitoring nodes or cluster heads. (We consider malicious node as misbehavior node.) In this paper, we focus on finding misbehaving monitoring node or malicious cluster heads. So, if these nodes have been misbehavior nodes then they can send false information to other nodes or report an innocent node as destructive. In our proposed scheme, The network is partitioned to zones with one zone manager which is responsible to monitor on cluster heads in its zone, but the most important problem is how can specify the integrity of zone manager which is done by “honest neighbors” of zone manager. Also we detect compromised nodes in a cluster based on Algorithm for Detection in a Cluster (ADCLU) which is also used by zone manager for detecting malicious cluster heads [4]. The rest of this paper is organized as follows: In the next section, we review some related work in intrusion detection for MANETs. In Section 3, we present and explain our intrusion detection scheme. In Section 4, we conclude this paper with a discussion on future work.

2 Preliminaries There are three typical architectures for an intrusion detection system (IDS): standalone, distributed and cooperative, and hierarchical IDS architecture [5]. Moreover, there exists another classification which is combination of these architectures called hybrid architecture.

An Efficient Method for Detecting Misbehaving Zone Manager in MANET

13

In the stand-alone IDS architecture every node runs an intrusion detection system agent and every decision made is based only on information collected at local node, since there is no cooperation among nodes in the network like Watchdog technique [6]. The merits of this architecture have no network overhead for the intrusion detection process such as audit data exchange. Moreover, this system could reduce the risk where attackers accuse legitimate nodes misbehaving in purpose to have those nodes excluded from the network [7]. However, this architecture has limitations to be implemented in real environment because in most types of attacks, information on each individual node might not be enough to detect intrusions. In addition, since every node runs IDS, resources are required in every node. Therefore, this scheme is not suitable for nodes with limited resources. Furthermore, due to the lack of node cooperation, this scheme may fail to detect a misbehaving node in the presence of (a) ambiguous collision, (b) receiver collision, (c) limited transmission power, (d) false misbehavior, (e) collusion, and (f) partial dropping [6]. Finally, this scheme hasn’t security protection. The second type of architecture is a distributed and cooperative model. Zhang and Lee [8] have proposed the intrusion detection system in MANETs should also be distributed and cooperative. Similar to stand-alone architecture, every node participates in intrusion detection and response by having an IDS agent running on them. An IDS agent is responsible for detecting and collecting local events and data to identify possible intrusions, as well as initiating a response independently. However, neighboring IDS agents cooperatively participate in global intrusion detection actions when the evidence is inconclusive through voting mechanism [2]. The merits of this architecture are such as follow: Network overhead can be reduced by exchanging data only when it is needed. The lack of completeness of the local audit data can also be compensated by asking the intrusion status in neighboring nodes. Although the IDS can overcome some limitations presented in the stand-alone IDS, it has the following problems. First, cooperative intrusion detection may lead to heavy communication and calculation between nodes, causing degradation in network performance. Second, the sharing data between trusted nodes is not in general true since there are a lot of possible threats in a wireless network environment [7]. Hierarchical intrusion detection systems architectures have been designed for multi-layered ad hoc network infrastructures where the network is are divided into smaller sub-networks (clusters) with one or more cluster heads that are responsible for the intrusion detection in the networks. Therefore, these cluster heads act as manage points which are similar to switches, routers, or gateways in traditional wired networks. Each IDS agent runs on every node. Also it is responsible for detecting intrusion locally by monitoring local activities. A cluster head is responsible locally for its node as well as globally for its cluster, e.g. monitoring network packets and initiating a global response when network intrusion is detected [2],[3],[7]. This type of architecture is the most suitable architecture in term of information completeness. Moreover, the idea of reducing the burden of hosting IDS agent in some nodes helps the system to conserve overall energy. However, this has to be paid for the network overhead to form clusters and audit data exchange, not to mention the relatively long detection time as the data exchange is needed to perform the detection.

14

M.K. Rafsanjani, F. Pakzad, and S. Asadinia

Moreover, malicious nodes that are elected as cluster heads could result to the devastation of the networks. In the zone-based IDS proposed in [9], the network is partitioned into nonoverlapping zones. Every node in a zone (intra-zone node) sends an alert message to a gateway node (inter-zone node) with alert flooding and the gateway node will send out an alarm message at a fixed interval representing the zone. Zone-based IDS cannot detect intrusion in real time because its gateway generates alarms only at a fixed interval. Furthermore, in MANET intrusion detection system there are two types of decision making including collaborative decision making and independent decision making. In collaborative decision making, each node participates actively in the intrusion detection procedure. Once one node detects an intrusion with strong confidence, this node can start a response to the intrusion by starting a majority voting to determine whether attack happens [8]. On the other hand, in the independent decision making framework, certain nodes are assigned for intrusion detection [10]. These nodes collect intrusion alerts from other nodes and decide whether any node in the network is under attack. These nodes do not need other nodes’ participation in decision making [2],[3].

3 The Proposed Scheme Our scheme is inspired form the collaborative techniques for intrusion detection in mobile ad hoc networks, which use collaborative efforts of nodes in a neighborhood to detect a malicious node in that neighborhood [4]. The first step of our scheme is based on Marchang et al.’s technique (ADCLU algorithm) [4] which is designed for detection of malicious nodes in a neighborhood of nodes, in which each pair of nodes may not be in radio range of each other, but where there is a node among them which has all the other nodes in its one hop vicinity. This neighborhood is identical to a cluster [11]. This technique uses message passing between the nodes. A node called the monitoring node initiates the detection process. Based on the messages that it receives during the detection process, each node determines the nodes it suspects to be malicious and send votes to the monitoring node. The monitoring node upon inspecting the votes determines the malicious nodes from among the suspected nodes [4]. In this scheme, authors assumed that the initiating node of this algorithm i.e., the monitoring node is not malicious and when the monitoring node initiates the detection process by sending out a message to the other nodes, the malicious nodes have no way of knowing that a detection algorithm is in progress. So, if these nodes have been misbehavior nodes then they can send false information to other nodes, report an innocent node as destructive or do not initiate the detection process. Therefore, it is important that a monitoring node has been a valid node. This shortcoming also viewed in many distributed or hierarchical or hybrid intrusion detection systems. In our scheme, the network is divided to zones with one zone manager in each zone which is responsible to monitor cluster heads in its zone. Zone manager is the heart of the controlling and coordinating with every node in the zone. It maintains the configuration of the node, record the system status information of each component, and make

An Efficient Method for Detecting Misbehaving Zone Manager in MANET

15

the decisions. Also monitoring of cluster heads can be done by zone manager via expanding the ADCLU algorithm. The second step of our scheme is allocated for detecting a misbehaving zone manager in which zone manager neighbors should control its activity and report any misbehaving. This scheme creates reciprocal term between nodes in multi level hierarchical. 3.1 Detecting Malicious Cluster Heads Based on ADCLU The ADCLU algorithm [4] can be used to detect malicious nodes in a set of nodes, which forms a cluster, which is defined as a neighborhood of nodes in which there a node, which has all the other nodes as its 1-hop neighbors as shown in Fig 1. To present the algorithm we make the following assumptions: The wireless links between the nodes are bi-directional. When the monitoring node initiates the detection process, the malicious nodes have no way of knowing that a detection algorithm is in progress. 0

2 1

4

3

Fig. 1. A neighborhood (cluster) in a MANET consisting of 5 nodes: an edge between two nodes denotes they are within radio range of each other

Step 1: The monitoring node, M broadcasts the message RIGHT to its neighbor nodes asking them to further broadcast the message in their neighborhood. M broadcast: (RIGHT) Step 2: Upon receiving the message RIGHT, each neighbor, B of M further broadcast the message in its neighborhood B broadcast: (X) (X = RIGHT if B is not malicious, X ≠ RIGHT if B is malicious) Step 3: The monitoring node, M then broadcasts a MALICIOUS-VOTEREQUEST message in its neighborhood. M broadcast: (MALICIOUS-VOTE-REQUEST) Step 4: On receipt of a MALICIOUS-VOTE-REQUEST message from M, each neighbor, B of M does the following: Let PA be the message node B received from node A in step 2 (if node B does not receive any message from A or if it receives a message different from RIGHT, PA is assigned default message WRONG). If PA≠ RIGHT, then B sends a vote for node A being a suspected node to M. B M: (VOTE; A) Step 5: On receipt of the votes in step 4, the monitoring node does the following: I. Accept only distinct votes from each of the nodes (By distinct votes, we mean that the monitoring node can accept at most one vote about a suspected node from any node).

16

M.K. Rafsanjani, F. Pakzad, and S. Asadinia

II. Let NA be the number of votes received for node A. If NA ≥ k, mark node A as malicious. (The monitoring node also gives its vote. k is the threshold value.) Zone manager also can use this algorithm for detecting the cluster heads work properly or not. But for detecting a validation of zone manager we propose a distributed scheme to controls the zone manager, investigate its operation, the zone manger is isolated if any misbehaving has been observed and selection of new zone manager is accomplished. 3.2 Detecting Valid Monitoring Zone Manager The first zone manager can be selected randomly or by consideration the routing table in DSR. Then an IDS agent would be installed on the neighboring nodes of zone manager and each node runs an IDS independently. However, nodes would cooperate with each other to detect some ambiguous intrusions. Neighboring nodes must know each other and trust to each other to identify the precision of their decisions. The creation of a trusted community is important to ensure the success of MANET operations. A special mechanism needs to be deployed to enable nodes to exchange security associations between them. In addition, this mechanism is able to speed up the creation process of a trusted community in the network. Each node needs to meet and establish mutual trust with other nodes which requires a lot of time and effort. The reliance concept proposed in this study makes this process simpler and faster by providing a secure platform for nodes to exchange their security associations. This ongoing trust exchange process between nodes without doubt could lessen the amount of anonymous communication, and thus lead to the creation of a trusted community in the networks [12]. A secure platform must be provided in which each node needs to build its own trusted neighbors lists. In fact, this module is created first by virtual trust between nodes and based on the good reputation of other nodes through experiences. Each node promiscuously listen to its neighbors transmissions which is located in its one hop vicinity and also it is a neighbor of zone manger. These nodes decrease its neighbor reputation degree if it has seen any misbehaving such as dropping packets, modifying messages and the reputation will be increased if it forwards packets without any modification. In addition, each activity of their neighbors can be viewed form routing tables. After the neighbor`s node reputation degree gain the threshold value it will be registered in “honesty neighbors” list. In addition, these direct neighbors would be exchanged their “honesty neighbors” to create a new set of associate nodes, namely indirect honesty neighbors (implicit trust). So, a ring of “honest neighbors” can surround the zone manager and control its activity as shown in Fig 2. It is clear evidently zone manager also exists in their trusted neighbors. If each of these nodes misbehaves or acts maliciously the reputation degree will be degraded and then it will be omitted from “honest neighbors” list if this degree is lower that threshold value. This process has not been required that all IDSs of neighboring nodes were active and in fact some of them can go to sleep mode. If one node detects that zone manager is misbehaving, it will send an alert to its honest neighbors, the modules in the sleeping state will be activated, changing from the sleeping state to the running state to initiate their IDSs and cooperate in zone manager intrusion detection. If they also

An Efficient Method for Detecting Misbehaving Zone Manager in MANET

17

observed zone manager misbehavior send warning to altogether and cut off their communications with zone manager, simultaneously, the warning will be send to the cluster heads. Then cluster heads can run ADCLU to dismiss zone manager with strong evidence.

Legend: Zone manager Honest neighbors Communication link

 A B

G

Ring of honest neighbors A sample of indirect trust between nodes

C F E

D

Fig. 2. Honest neighbors model for detecting misbehaving zone manager

After the removal of zone manager, new manager should be selected; the simpler and faster process is the honesty neighbors select a node which has lower misbehaving or higher reputation rate as zone manager.

4 Simulation Results Our algorithm was simulated using the GloMoSim Simulator. In the base scenario, 250 nodes are placed in an area of 2000 m ×2000 m with 4 sections1000 m×1000 m and 16 clusters. In this model, each node selects a random destination within the simulation area and the nodes move uniformly according to the waypoint mobility model with a maximum speed of 10 m/s. The time of simulation was 300s and the used routing protocol was DSR. The data traffic was generated by 10 constant bit rate (CBR) sources, with sending rates of single 1024 bytes every second. We use the 802.11 protocol at the MAC layer. The radio propagation range is set to 250m and the data rate is 2 Mbit/s. Message loss was considered by random selection of messages at various steps of the algorithm. 20 percentages of nodes considered malicious nodes. The malicious nodes were selected at random and were made to drop or modify all the messages that they were to forward. In view of our algorithm, they send WRONG messages. Figs. 3–5 show the end to end delay, delivery ratio and overhead respectively once the nodes have no mobility. Fig.3 shows the end to end delay of our algorithm in comparison to ADCLU and DSR protocol. Our algorithm produces higher end to end delay results than the other protocols. In general, DSR protocol runs better than other algorithms in simple environments. Although this protocol doesn’t operate any detection and response process so the delay is less than others.

18

M.K. Rafsanjani, F. Pakzad, and S. Asadinia

On the other hand, our protocol is more complicated than ADCLU, so the higher delay is clear. Consider Fig.4, the delivery ratio of our proposed scheme is better than the other two protocols. If maximum number of messages are passed and received successfully it has two meanings, whether there exist no attacks in the networks or the attack has been identified and fixes. Considering 20 percent of simulated nodes are malicious and this indicates the correct functioning of our algorithm to deal with invaders. Fig.5 shows the overhead per true received packets between our proposed algorithm, ADCLU and DSR. Our proposed method has a lower level rather than ADCLU. This shows that despite of existence of attacks, our algorithm can deliver more packets to destination. In general, packet delivery ratio and overhead have an inverse relationship. So when the overhead is higher the delivery ratio will be lower, and the lower overhead results in higher delivery ratio.

end to end delay ADCLU

the proposed method

DSR

delay(sec)

0.02 0.015 0.01 0.005 0 100

150

200 number nodes

Fig. 3. End to end delay without mobility

Fig. 4. Packet delivery ratio without mobility

250

An Efficient Method for Detecting Misbehaving Zone Manager in MANET

19

Fig. 5. Overhead per true received packets without mobility

Figs. 6–8 show the end to end delay, delivery ratio and overhead respectively when nodes move with maximum speed of 10m/s. According to figures, our proposed scheme has better functioning despite of movement of nodes. end to end delay ADCLU

the proposed method

DSR

delay(sec)

0.02

0.015

0.01 100

150

200 number nodes

Fig. 6. End to end delay with maximum speed 10m/s

Fig. 7. Packet delivery ratio with maximum speed 10m/s

250

20

M.K. Rafsanjani, F. Pakzad, and S. Asadinia

Fig. 8. Overhead per true received packets with maximum speed 10m/s

5 Conclusion and Future Work In this paper, we have proposed a scheme to improve IDS for MANET. This scheme aims to minimize the overheads and maximize the performance of network and to provide a degree of protection against the intruder. In our proposed scheme, we focus on reliability of zone manager which is done by its honesty neighbors. As follow, the development of the scheme is: the network is divided to zones with one zone manager which is the monitor of the cluster heads in its zone. The validation of zone manager is accomplished by its honesty neighbor that is neglected in many IDS techniques. In most of these techniques, monitoring node is a valid node, but if monitoring node be a misbehaving node, it can refuse initiating intrusion detection algorithm or accuse an innocent node as destructive. So, these honest neighbors prevent false accusations, and also allow zone manager to be a manager if it is wrongly misbehaving. However, if manger repeats its misbehavior, it will lose its management degree. Our scheme can apply for developing a sophisticated intrusion detection system for MANET. This experiment emphasizes the importance of validation of zone manager for running IDS algorithms, which is neglected in latest researches. Our simulation results show that the algorithm works well even in an unreliable channel where the percentage of loss of packages is around 20%.

References 1. Xiao, H., Hong, F., Li, H.: Intrusion Detection in Ad hoc Networks. J. Commu. and Comput. 3, 42–47 (2006) 2. Farhan, A.F., Zulkhairi, D., Hatim, M.T.: Mobile Agent Intrusion Detection System for Mobile Ad hoc Networks: A Non-overlapping Zone Approach. In: 4th IEEE/IFIP International Conference on Internet, pp. 1–5. IEEE Press, Tashkent (2008)

An Efficient Method for Detecting Misbehaving Zone Manager in MANET

21

3. Fu, Y., He, J., Li, G.: A Distributed Intrusion Detection Scheme for Mobile Ad hoc Networks. In: 31st Annual International Computer Software and Applications Conferences (COMPSAC 2007), vol. 2, pp. 75–80. IEEE Press, Beijing (2007) 4. Marchang, N., Datta, R.: Collaborative Techniques for Intrusion Detection in Mobile Adhoc Networks. J. Ad Hoc Networks 6, 508–523 (2008) 5. Brutch, P., Ko, C.: Challenges in Intrusion Detection for Wireless Ad hoc Networks. In: Symposium on Applications and the Internet Workshops (SAINT 2003 Workshops), pp. 368–373. IEEE Press, Florida (2003) 6. Marti, S., Giuli, T.J., Lai, K., Baker, M.: Mitigating Routing Misbehavior in Mobile Ad hoc Networks. In: 6th Annual International Conference on Mobile Computing and Networking, pp. 255–265. ACM, New York (2000) 7. Arifin, R.M.: A Study on Efficient Architecture for Intrusion Detection System in Ad hoc Networks. M.SC. Thesis, repository.dl.itc.u-okyo.ac.jp/dspace/bitstream/2261/../K01476.pdf, pp. 1–53 (2008) 8. Zhang, Y., Lee, W., Huang, Y.: Intrusion Detection Techniques for Mobile Wireless Networks. J. Wireless Networks 9, 545–556 (2003) 9. Sun, B., Wu, K., Pooch, U.W.: Alert Aggregation in Mobile Ad hoc Networks. In: 2nd ACM Workshop on Wireless Security (WiSe 2003), pp. 69–78. ACM, New York (2003) 10. Anantvalee, T., Wu, J.: A Survey on Intrusion Detection in Mobile Ad hoc Networks. In: Xiao, Y., Shen, X., Du, D.Z. (eds.) Wireless/Mobile Network Security, vol. 2, pp. 159– 180. Springer, Heidelberg (2007) 11. Huang, Y., Lee, W.: A Cooperative Intrusion Detection System for Ad hoc Networks. In: ACM Workshop on Security in Ad Hoc and Sensor Networks (SASN 2003), pp. 135–147. ACM, New York (2003) 12. Razak, A., Furnell, S.M., Clarke, N.L., Brooke, P.J.: Friend-Assisted Intrusion Detection and Response Mechanisms for Mobile Ad hoc Networks. J. Ad Hoc Networks 6, 1151– 1167 (2008)