Denial of Service (DoS) attacks detection in MANETs ... - IEEE Xplore

Download PDF
2 downloads 0 Views 423KB Size Report
Comment
security. Denial of Service attacks still represent a serious ... Denial of service means that a node cannot provide the required service to other legitimate nodes.
Denial of Service (DoS) attacks detection in MANETs through statistical models M. Rmayti∗ , Y. Begriche† , R. Khatoun† , L. Khoukhi∗ , D. Gaiti∗ ∗

ICD, HETIC, ERA, University of Technology of Troyes, UMR 6281, CNRS, Troyes, France {mohammad.rmayti, lyes.khoukhi, dominique.gaiti}@utt.fr † Telecom ParisTech, 46 Rue Barrault, 75013 Paris, France [email protected], [email protected]

Abstract—Mobile ad-hoc networks (MANETs) are well known to be vulnerable to various attacks, due to features such as lack of centralized control, dynamic topology, and limited physical security. Denial of Service attacks still represent a serious threat for wireless networks. These attacks not only consume the system resources but also isolate legitimate users from the network. Grayhole attack is one of these attacks, which occurs when a malicious node drop some of received data packets during the route discovery process. To detect this attack, we propose in this paper a novel approach based on two Bayesian classification models: Bernoulli and Multinomial. Several tests have been performed using NS2 simulator. Our filters prove that intentionally dropping packets can be fully detected with a lowlevel of false alerts.

I. I NTRODUCTION Mobile ad hoc networks consist of nodes that that do not need to rely on a predefined infrastructure to keep the network connected. In these networks, each node play the role of both client and router, and the topology is dynamic due to the mobility of nodes. The nature of MANETs makes them vulnerable to different kinds of attacks [?]. The cooperation between nodes is a common assumption in ad hoc networks, selfish nodes may decide not to participate in the tasks of network routing in order to save energy, and malicious nodes may not cooperate at all in the aim of disrupting the network. Denial of service means that a node cannot provide the required service to other legitimate nodes. Malicious nodes can perform several types of attacks such as: Wormhole attack, Sybil attack, Jellyfish attack, Blackhole/ Grayhole attacks [1], etc. A Grayhole is a node that selectively drops data packets after it advertises itself as having the shortest path to the destination node in response to a route request message from a source node [2]. The Blackhole is a particular case of Grayhole attack, in which the malicious node drops all the received packets. In this paper, we propose a non-cryptographic approach for detecting Grayhole attack by monitoring and analyzing the behaviors of nodes in MANETs. Our detection mechanism is based on two Bayesian filters: Bernoulli and Multinomial models. The remainder of this paper is organized as follows. In Section II, we introduce the Grayhole attack and our proposed scheme. The Bernoulli Bayesian and Multinomial classification models are presented in Section III. Simulation results showing the accuracy of our approach are presented in Section IV. Finally, Section V concludes this paper.

II. P ROPOSED SCHEME The main goal of our approach is to detect the Grayhole attack in MANET networks that uses AODV as routing protocol. To do this, we modeled mathematically the behavior of a node using vectors, based on three exclusive types of packets: x1 → Route Request (RREQ), x2 → Route Reply (RREP), x3 → Data Packets. Based on this vectors we will calculate through statistical models, the probability of dishonesty of a node, and this will be over a defined period. Our purpose of is to show the importance of each model to detect the Grayhole nodes in the network. The detection scheme can be described as follow: the node listens periodically to its neighborhood, and collects information about the forwarded packets for its neighbours. Then, the information is filtered and mathematically modelled as vectors of behaviors. Using the Bayesian filter, the probability of dishonesty for a given vector is calculated using a decentralized process, in order to fit with the mobility, and the dynamic topology of MANETs. To do this, we have used Bernoulli and Multinomial models in a complementary manner to classify the nodes, and detect the malicious ones. III. BAYESIAN CLASSIFICATION MODELS A. Bernoulli distribution In the Bernoulli model, each node is characterized by a − − vector → x defined by → x = (x1 , . . . , xm ) where x1 , . . . , xm are the values taken by the random variables X1 , . . . , Xm that are assumed conditionally independent given category c (malicious, honest). Each random variable gives information about a packet type transmitted by the node. In this model, all random variables are binary: Xi = 1 if packets of type i noted pai are forwarded one time, otherwise Xi = 0. Consequently, each random variable Xi = 1 follows a Bernoulli distribution with parameter pi = p(pai ). In our case, we are interested by three types of messages: RREQ, RREP and DATA, thus the cardinality of the used vector is equal to 3. The value of xi depends on the forwarding rate of message type i as follow: when a node forwards more than 90% of the received packets having the type i, xi is set to 1, otherwise it is set to 0. Considering a malicious node E and a node A which wants to calculate the probability of dishonesty of E. For instance, if the node E forwards during the first interval t in the monitoring

978-1-4799-5490-2/14/$31.00 ©2014 IEEE

period T, 97 % of Data traffic, 30% of RREQ, 10% of RREP, − − then the vector → x = (x1 , x2 , x3 ) corresponds to → x = (1, 0, 0). As we have already mentioned, X1 , X2 , X3 are conditionally independent given category c (mal, hon). According to the Bayes theorem [3] [4] and the total probabilities theorem, for a node (x1 , x2 , x3 ), the probability to belongs to class c is defined by:

IV. PARAMETERS EVALUATION In this section, we define the parameters that allow us to evaluate our filter. For that, two evaluation parameters are used: weighted error (W err) and the referential weighted error (W errb ) [5] [6]. They are defined as follows:

Nmal λF P + F N , W errb = (4) λNhon + Nmal λNhon + Nmal 3 Y Where TP (respectively FP) denotes the rate of true (respecp(pai /mal)xi(1−p(pai /mal))(1−xi)p(mal) tively false) positive, TN (respectively FN) denotes the rate → − − p(C = c/ X=→ x)= i=1 of true (respectively false) negative, Nmal = F N + T N and 3 X Y p(pai /c)xi(1−p(pai /c))(1−xi)p(C=c) Nhon = T P + F P . We introduce a new parameter named T CR (Total Cost Ratio) whose values allow the performance c{mal,hon}i=1 of the filter to be compared to that of the baseline and which In this classification, we could make two errors: Classifying is defined by: a malicious node as honest (mal → hon), and classifying a Nmal W errb honest node as malicious (hon → mal). In fact, the second = (5) T CR = W err λF P + FN error is more serious than the first error. To illustrate this idea, we introduce the parameter λ, as its objective is to give more From the definition of the parameter T CR given above, we importance to the second error by assuming that hon → mal can write the following equivalences: is λ time more costly than mal → hon. W errb > 1 ⇔ W errb > W err T CR > 1 ⇔ - Classification criteria : Taking into account what was W err mentioned above, the selection criterion is as follow: the node Thus, when the T CR is greater than 1, the referential weighted ~x is classified as malicious if and only if: error is greater than the weighted error. Therefore, in this case, ~ = ~x) > λ.p(C = hon/X ~ = ~x) p(C = mal/X (1) the filter is good. In the other case, when the T CR is less than 1, the referential weighted error is less than the weighted error, ~ = ~x)+p(C = hon/X ~ = ~x) = 1, then so the filter is not interesting. The T CR shows the suitability Since p(C = mal/X the selection criterion is as follow. The node ~x is classified as of the technique keeping in mind the cost of the different kind malicious if and only if: of errors. The T CR is suitable to be used in the performance comparison when classifying a non-attack as attack is more ~ = ~x) > α p(C = mal/X (2) costly than classifying an attack as non-attack. Where

α=

λ 1+λ

and λ =

α 1−α

W err =

V. R ESULTS (3)

B. Multinomial distribution The Multinomial distribution is a generalization of the binomial distribution where each run can produce not two, but over two different results. In this case, the node vector always contains three components, where each component is a number that represents a percentage. For instance, when the − vectors have the following form: → x = (97, 30, 10), this means that 97% of RREQ messages, 30% of RREP messages, and 10% of DATA a messages are forwarded. The probability of dishonesty following the Multinomial law is given by:

The simulation of different scenarios are done on NS2. The networks contains up to 50 mobiles nodes, using AODV routing protocol. Five scenarios are simulated, by changing the percentage of malicious nodes in the network from 10% to 50%. The four curves of T CR (see Fig. 1) have the same

3 Y p(pai/C=c)ni·p(C=c)

→ − − i=1 P (C=c/N=→ η )= 3 3 Y Y p(pai/C=c)ni·p(C=c)+ p(pai/C=c)ni·p(C=c) i=1

i=1

- Classification criteria: The selection criterion is the same as the previous model but applied conditionally to the event → − → − − − (N = → η ), that is to say : p(C = malicious/ N = → η ) > α, where α and λ are given by (3).

Fig. 1: TCR for Bernoulli case. shape, thus there is a strong coherence between the different cases and the network behaves in the same way regardless

of the proportion of malicious nodes in the network. In case λ = 19, T CR is less than 1 only when the proportion of malicious nodes in the network is under 20%. Thus, the filter is not interesting if the proportion of malicious nodes is less than 20%. When λ = 3 or λ = 3, T CR is less than 1 when the proportion of malicious nodes in the network is under 15%, and therefore the filter is not interesting in this case. However, when λ = 1, T CR is always greater than 1; thus, the filter is always interesting. In any case, whatever the value of λ and whatever the proportion of malicious nodes, our filter gives very good results and therefore it is able to detect the Blackhole and Grayhole nodes. For the Bernoulli filter, the

Fig. 2: TCR for Multinomial case. curves representing the parameter T CR are increasing and this for all values of λ, but it is only when the number of malicious nodes exceeds 40%. These curves exceed the value 2 and become interesting because it is known that the filter is useful when the T CR is greater than 1. On the other hand, in the case of Multinomial filter, the T CR curves (see Fig.2) are much higher than the value 2 and reach a value of 6 while the T CR curves of the Bernoulli filter are less than the value 1.5 when the number of malicious nodes is less than 30% (excluded); this makes the Multinomial filter more interesting than the Bernoulli filter in these cases. VI. C ONCLUSION In this paper, we have proposed an approach which can efficiently detect Grayhole attack in MANETs. The list of detected malicious nodes can be useful to discover secure paths from source to destination by avoiding this type of denial of service. In this work, we used two Bayesian filters: Bernoulli and Multinomial models in a complementary manner to detect malicious nodes. The performance results have shown that our filters detect efficiently the Grayhole attack. In addition, when the rate of the malicious nodes is greater than 25%, it is highly recommended to use the Multinomial Bayesian fliter. As future work, we intend to define the dishonesty probability calculation process, and then develop a reputation system which will use our parameter’s detection to prevent malicious nodes to be inserted in the paths from source to destination.

R EFERENCES [1] M. Al-Shurman, S.M. Yoo, and S. Park. Black Hole Attack in Mobile Ad Hoc Networks. In Proceedings of the 42nd annual Southeast regional conference ACM-SE42, pages 96–97. ACM Press, April 2004. [2] J. Sen, M.G. Chandra, S.G. Harihara, H. Reddy, and P. Balamuralidhar. A mechanism for detection of gray hole attack in mobile ad hoc networks. In Information, Communications Signal Processing, 2007 6th International Conference on, pages 1–5, 2007. [3] C. P. Robert. Le choix Baysien. Principes et pratiques. Springer, 2006. [4] P. D. Hoff. A First Course in Bayesian Statistical Methods. Springer, 2009. [5] M. Sahami, S. Dumais, D. Heckerman, and E. Horvitz. A bayesian approach to filtering junk E-mail. In Learning for Text Categorization: Papers from the 1998 Workshop, Madison, Wisconsin, 1998. AAAI Technical Report WS-98-05. [6] I. Androutsopoulos, G. Paliouras, V. Karkaletsis, G. Sakkis, C.D. Spyropoulos, and P. Stamatopoulos. Learning to filter Spam E-Mail: A Comparison of a Nave Bayesian and a Memory-Based Approach.