RADAR: A reputation-driven anomaly detection system for wireless ...

Wireless Netw (2010) 16:2221–2236 DOI 10.1007/s11276-010-0255-1

RADAR: A reputation-driven anomaly detection system for wireless mesh networks Zonghua Zhang • Pin-Han Ho • Farid Naı¨t-Abdesselam

Received: 26 July 2009 / Accepted: 28 April 2010 / Published online: 29 May 2010  Springer Science+Business Media, LLC 2010

Abstract As one of the backup measures of intrusion prevention techniques, intrusion detection plays a paramount role in the second defense line of computer networks. Intrusion detection in wireless mesh networks (WMNs) is especially challenging and requires particular design concerns due to their special infrastructure and communication mode. In this paper, we propose a novel anomaly detection system, termed RADAR, to detect and handle anomalous mesh nodes in wireless mesh networks. Specifically, reputation is introduced to characterize and quantify a node’s behavior in terms of fine-grained performance metrics of interest. The dual-core detection engine of RADAR then explores spatio-temporal property of such behavior to manifest the deviation between that of normal and anomalous nodes. Although the current RADAR prototype is only implemented with routing protocols, the design architecture allows it to be easily extended to cross-layer anomaly detection where anomalous events occur at different layers and can be resulted by either intentional intrusion or accidental network failure. The simulation results demonstrate that RADAR can achieve high detection accuracy, low computational complexity, and low false positive rate.

Z. Zhang Institut Telecom/TELECOM, Lille 1, France e-mail: [email protected] P.-H. Ho (&) ECE Department, University of Waterloo, Waterloo, Canada e-mail: [email protected] F. Naı¨t-Abdesselam University of Sciences and Technologies of Lille, Lille, France e-mail: [email protected]

Keywords Wireless mesh networks  Reputation management  Network security  Anomaly detection

1 Introduction Wireless mesh networks (WMNs) is proliferating as one of the key technologies of the next generation wireless metropolitan-area networks. A WMN usually contains two major components, namely mesh routers and mesh clients. The automatic establishment and maintenance of mesh topology and connectivity among the components makes it superior to all the other existing counterparts in terms of low up-front cost, robustness, dynamic and scalable network topology, easy network maintenance, and so on [1]. However, the special characteristics of the infrastructure and the communication mode of WMNs lead to a large exposure to various abuses and attacks from malicious users and a lack of a clear defence line of defense. While various prevention techniques have been proposed for securing WMNs, none of them is silver bullet and holds in a right position with the presence of insiders, or when attackers manage to bypass them by exploiting system vulnerabilities. As one of the backup measures of prevention mechanisms, intrusion detection and response has a paramount significance in the second defence line of network security. Anomaly detection [14], a kind of intrusion detection technique, is mainly about the discretion of anomalous events from a set of normal profiles, which are usually created by a sample of normally observed subjects. In addition to intrusion detection, most of anomaly detection techniques can be used for network monitoring and fault diagnoses. Nonetheless, anomaly detection in WMNs encounters more challenges due to the unreliable physical

123

2222

medium, fluctuating operational environments, unavoidable signal interference, and unpredictable traffic congestion, and so on. Thus, building perfect normal profiles by taking into account all the WMNs features is a mission impossible in practice. Rather, we must select the key observable subjects and explore their essential properties to capture network normality sufficiently well for detecting any significant deviations. With the advent of ubiquitous computing, reputation management has come into broad application especially in today’s popular peer-to-peer (P2P) networks and mobile ad hoc networks (MANETs). In the reputation management framework, trust values are defined in accordance with various criteria for processing complex data, and used to evaluate an entity’s performance in terms of the quality of service (QoS) it provides. The trust values, just as the credit in our human society, serve as a key characteristic measuring individual entity’s performance and coordinating the network behavior as a whole. How to manage trust values in an accurate, secure and robust manner is a challenging issue which attracts a lot of research attention. In this paper, we propose a novel anomaly detection scheme, termed RADAR, to detect anomalous mesh nodes in WMNs. Firstly, we introduce a general concept of reputation to quantify and characterize the mesh nodes behavior by extracting observable variables and defining trust values. We then use reputation to establish baselines for leveraging and measuring the deviation between normal and anomalous behaviors of each node. Secondly, a sequence-based anomaly detector STIDE and a frequencybased anomaly detector are designed and integrated for detecting mesh nodes’ behavioral deviations in terms of reputation. The integration of two anomaly detectors fully explores the spatio-temporal properties of the observable variables associated with the behaviors of mesh nodes. Thirdly, we specifically implement an RADAR prototype with one of widely adopted reactive routing protocol, DSR, with the objective to detect malicious nodes that intentionally violate regular routing rules, where the reputation of each mesh node is maintained in a secure and dependable manner. The remainder of this paper is organized as follows. Section 2 investigates the related work in this field. Section 3 discusses the design challenges and considerations regarding the design of our detection system. In Sect. 4, we address the reputation management issue. The design of RADAR is reported in Sect. 5, and Sect. 6 presents vulnerability analysis and security enhancement on the reputation management. Section 7 reports a set of simulations, along with analysis and discussion on the results. Section 8 concludes the paper.

123

Wireless Netw (2010) 16:2221–2236

2 Related work Reputation management has gained widespread application in distributed environments, especially in P2P systems [12, 22] and MANETs [4, 30]. A variety of reputationbased mechanisms have been developed for MANETs to achieve secure routing and data packet delivery [3, 9, 15]. Some of them can be applied to WMNs with minor modification. A protocol described in Buchegger and Le Boudec [4] is proposed to detect and isolate misbehaving nodes. Among the four components of this protocol, we are particularly interested in the reputation system for node rating, which defines a node’s trust value by integrating its own experience, its neighbor’s observation, and reported experience with different weights. In Michiardi and Molva [15], a reputation mechanism is used to differentiate between subjective reputation (observations), indirect reputation (reports from others), and functional reputation (task-specific behavior). The final reputation value is simply a linear combination of these values, which determines whether cooperation or gradual isolation on the node will be taken on. Our design is based on a similar assumption, namely malicious behavior is the exception rather than the norm, and it occurs when a node’s rating fall out of a tolerable range. However, our reputation management is more sensitive and robust to reflect network normality by integrating local and global trust values. Also, the proposed scheme adopts an anomaly detection engine to replace their trust manager and path manager, which simplifies the detection and response procedure and saves computational overhead. Instead of limiting attacks to ‘‘no forwarding’’, our scheme is capable of detecting other attack variants and attacks occurring in other layers. Intrusion detection plays a paramount role in securing wireless networks as the backup of deficient prevention measures [16]. Intrusion detection systems (IDSs) in wired network can hardly be applied to WMNs due to the fundamentally different communication manner and infrastructure. Zhang et al. [26] gave a general discussion on intrusion detection techniques for mobile wireless networks, Huang et al. [11] presented a cooperative IDS for MANETs. The two studies are limited in conceptual models specifically applied to MANETs without full realization and evaluation. On the other hand, although our work also lies the intrusion detection domain, the observations for characterizing nodes behavior are different from those previous studies, and the fine-grained analysis of routing protocols and intrinsic features is not a compelling need, thus saving detection overhead significantly. Also, our scheme aims at characterizing attack effects instead of a specific attack behavior, thereby having

Wireless Netw (2010) 16:2221–2236

potential to detect a large class of attack variants, including zero-day ones. Salem et al. [17] pointed out in that WMNs are in the face of three critical security challenges: detection of corrupt access points, securing the routing mechanism, and ensuring fairness by defining a proper fairness metric. They investigated and recommended several specific techniques to tackle the three issues, respectively. However, these security concerns are essentially interleaved, and a general detection scheme is desirable by taking an WMN as a whole and integrating the security designs together. To the best of our knowledge, our work is the first attempt to this.

2223

To facilitate the development of our system, we have the following assumptions regarding the characteristics of WMNs: •

•

•

3 Design challenges, assumptions, and concerns It is commonly regarded that the wide-scale development of WMNs encounters two major challenges. Firstly, WMNs suffer from constrained capacity and long delay due to the multi-hop wireless communication paths that are vulnerable to interference. Secondly, as introduced in Sect. 1, WMNs are exposed to various threats and intrusions because of their open/shared medium, flexible infrastructure and dynamic network topology that always lead to new system vulnerabilities in both communication links and nodes. The first challenge can be (partially) tackled by applying advanced radio techniques, such as MIMO systems [19], multi-radio/multi-channel systems [18, 23]. However, the second challenge can never be easily overcome by simply adopting the existing security mechanisms [17]. A defence-in-depth of WMNs is composed of two lines. The first line relies on preventive measures integrating and embedding cryptographic primitives into network protocols. The second line is dependent upon intrusion detection and response systems with the objective of monitoring and detecting service disruption and taking timely countermeasure and recovery. Although many secure protocols have been developed so far, most of them are attack- and layer-specific, dramatically undermining their functional coverage and capability for countermining attacks that occur simultaneously at different protocol layers. Also, a number of intrusion detection frameworks have been proposed [16, 26], whereas the complex architectures and high computational overhead impeded their practical design and implementation. These observations show that the design and implementation of an anomaly detection system for WMNs that can couple cross-layer network layers and various detection algorithms, is a challenging issue. Our work is motivated by the above observations and the developed system posses all the desirable capabilities and properties.

•

A WMN is self-policing with a group of autonomous mesh nodes. That is, a WMN is lack of central authority and capable of self-management and self-healing. Mesh nodes are heterogeneous in terms of reputation. That is, we assume each mesh node to have a unique identity, and our system treat the nodes differently in term of reputation regardless of their functional roles. The mobility of mesh nodes is limited. That is, although the network mobility depends on the type of mesh nodes, e.g., mesh routers have minimal mobility and mesh clients can be either stationary or mobile, our system does not take into account node mobility as a salient feature for modeling. Instead, it views the nodes as acquainted or new in term of reputation. Anomalous network behavior is mostly caused by mesh nodes. That is, although some abnormality may occur at communication links due to signal noise, channel interference, traffic congestion and other link errors, our current system focuses the observation on mesh nodes, and integrates links abnormality into that of downlink nodes.

These assumptions serve as a basis for the design of our system, and all of them can be validated in practice. More specifically, as shown in Fig. 1, our design includes a number of key components, each of which has particular concerns: •

The behavior characterization (in terms of reputation) relies on the quantification of observations in accordance with predefined performance metrics, where observations should be updated periodically and the defined metrics should be robust and sensitive for reflecting network status.

Fig. 1 Design components of RARDA and processing flow chart. Node reputation is calculated by quantifying the observations of interest in accordance with QoS performance metrics. The detection engine monitors the nodes behavior characterized by the reputation, and sends out warning messages once anomalous node is detected. A reaction module is attached to the detection engine, taking appropriate action to handle anomalous observations

123

2224

•

•

•

•

The overhead in terms of calculation, storage, and message exchange with respect to reputation management should be negligible compared to the regular computational cost by the node itself. The calculation and propagation of the node’s reputation should be resilient to intentional manipulation. That means reputation should be managed in a secure and dependable way. The detection engine should be able to fully explore the spatio-temporal properties of node’s behavior and accurately detect any deviation from normal profiles, which is usually measured by the trade-off between detection accuracy and false positive rate. In addition, the detection algorithm must be robust to the regular updates, meanwhile it must be sensitive to the irregular reputation fluctuation. Furthermore, the detection engine should be light-weight in terms of resource consumption and response latency. The response following detection should be completely automated and in real-time for mitigating negative consequence resulted by intrusions.

Wireless Netw (2010) 16:2221–2236 Table 1 Notations for reputation quantification Notation

Definition

Wi

The witness set of node i

Oi

The neighborhood set of node i; Oi  Wi

hij

No. of hops between node i and its witness j

Rij

The reputation of node j from perspective of i

rij

The ratings that node i puts on j

Tl(i, j)

Local trust value that node i assigns to j [ Oi

Tg(i, j)

Global trust value that node i assigns to j [ Wi

Tl ði; jÞ

Normalized Tl(i, j)

beforehand. In WMNs, observable subjects can be extracted from various functional layers, primarily MAC protocols and routing protocols. In particular, we assume mesh nodes rate each other after each communication session, a mesh node i’s behavior is therefore monitored and evaluated by all its interacting nodes within a certain duration. Following the notations in Table 1 and referring to Fig. 2, we define a local trust value as follows: X Tl ði; jÞ ¼ rij ; ð1Þ Dt

4 Reputation management in WMNs Reputation management has gained wide-spread applications in online auction systems such as eBay (http:// www.ebay.com), as well as other scenarios such as P2P networks [13] and MANETs [3]. In this section, we introduce reputation, which serves as the key observation for our anomaly detection system, to characterize the behaviors of mesh nodes in WMNs by quantifying the QoS they provide. 4.1 Definitions and quantification Following the definition in social networks, reputation is the opinion a mesh node has of another. The reputation management is essentially a feedback process that involves the monitor and tracking of a mesh node’s performance and the evaluation reports from its witnesses. While the performance of WMNs is also affected by the quality of communication links in term of traffic congestion, signal interference, channel allocation, etc., our definition integrates them into node’s behavior rather than treats them independently. A challenging issue here is how to quantify each node’s reputation in WMNs. To do that, some observable subjects associated with mesh node’s behavior must be monitored, stored, and represented in meaningful forms, the performance criteria or evaluation metrics must also be defined

123

where rij can be specified with different observations and metrics evaluating the QoS of node j for i, e.g., a successful/failed routing request or packet delivery. To avoid malicious nodes which may arbitrarily assign Tl(i, j), we have to normalize it as follows: Tl ði; jÞ ¼ P

Tl ði; jÞ ; j2Oi Tl ði; jÞ

ðTl ði; jÞ 6¼ 0Þ;

ð2Þ

We thus have Tl ði; jÞ 2 ð0; 1. In addition, we apply two schemes to prevent some collusive nodes which may deceive trust values by providing bogus service: 1.

2.

M1 : we use Wi to replace Oi by introducing parameter hij so that node i can broaden its monitor scope of observations. For example, in Fig. 2, Oj = {i, a, b, k} can be replaced by Wj = {i, a, b, k, c} (assume c is also taken as a witness of node j via node b, hjc = 2). M2 : a pre-trusted node e must have the priority of gaining the largest trust value of node i if e [ Wi.

Due to the hop-by-hop communication, node i can only reach non-neighboring node j by a number of trustworthy intermediate node(s). Following but a little abusing the notion of transitive trust1 in Kamvar et al. [22], we define a global trust value for scheme M1 , as follows:

1

The notion of transitive value in WMNs holds true since a node i will have a high opinion of a neighbor which has forwarded most of its packets.

Wireless Netw (2010) 16:2221–2236

2225

Fig. 2 A simple WMN example, where circle denotes mesh node, line denotes symmetric communication link, and bold line denotes a routing path. Node i sends a packet to node k via node j. The packet can be intentionally dropped by node j or is accidentally lost due to the failure of communication links between j and k. Both of the cases lead to the decrease of trust values that j’s witnesses a, i, b put on it

Tg ði; jÞ ¼

X

Tl ði; kÞTl ðk; jÞ

ð3Þ

k2Wi

! ! ! More generally, Tgi ¼ ðT0 Þhi Tli , where Tgi is a vector representing a set of trust values that i assigns to the nodes P in Wi ; T is a matrix with Tik ¼ Tl ði; kÞ, and k Tl ði; kÞ ¼ 1. To implement the ! scheme M2 , we use the following equation to update Tgi , !  ! i i Tg;t ¼ a  Tg;t1 þ ð1  aÞ  ! e; ð4Þ where ! e is a vector containing pre-trusted nodes with the same cardinality as Wi, and the location of a pre-trusted ! node e in ! e exactly maps to that in Tgi ; a 2 ½0; 1 is used to balance the dominance of the pre-trust nodes. We then aggregate the trust values and define a node’s overall reputation as follows, X ! Ri ¼ b1hij  Tg ðj; iÞ ð5Þ j

! ! where Tg ðj; iÞ corresponds to the element i in Tgj , and b is an integer acting as impact factor. Therefore, the reputation of node j from perspective of i is defined as Rij ¼ Tl ði; jÞ=Rj (in this paper we limit the calculation of Rij to adjacent nodes), which is refreshed periodically to gather the most recent observations. 4.2 A sample scenario with DSR protocol As aforementioned, an ideal reputation should be based on cross-layer observations. However, in this paper, we only extract the packets traveling on network layer as observable subjects and specifically examine dynamic source routing protocol (DSR), which is a reactive routing protocol [10] working as follows: a node (originator) sends out a ROUTE REQUEST (RREQ) message, all the receivers forward it to their neighbors meanwhile append themselves into the source route. If a receiver is the destination or has a route to the destination, it sends back a REPLY message containing the full source route and stops forwarding the request message. The originator then selects an optimal one (e.g., the shortest one) among the routes it has received, stores it, and sends messages along the path. The node

which is aware of a link failure sends back an error message (RERR) to the source. In order to quantify local trust value, we simply define rij = 0 if a packet is discarded, and rij = 1 if a packet is forwarded, and we suppose node i asks its neighbor j to forward PKa(i, j) packets during Dt, among which PKs(i, j) packets are successfully forwarded, the local trust value for i to j is therefore defined as Tl(i, j) = PKs(i, j)/PKa(i, j). To make Tl(i, j) computable, we assume the mesh nodes to be operating in promiscuous mode, so that a node can overhear the packets transmission of its neighbors and process them at network layer regardless of MAC layer destination. As such, a message sender can determine whether its neighbor has forwarded the message or not. We also assume the sender receives an acknowledgment (ACK) from the destination if a packet has been successfully received. This can be done either at MAC layer or at network layer. In addition, we may assume the ACKs are sent back via the reverse routes of the received data packets. The global trust value Tg(i, j), which is based on indirect observations from the neighbors, can be validated by the sender’s direct observation on the intermediate nodes.

5 RADAR: a reputation-driven anomaly detection system This section focuses on the specific design of our anomaly detection system, which is called RADAR2. The development of an anomaly detection system basically contains two stages [27]. The first and fundamental step is to examine observations and use them to build normal system profiles or baselines, and the second step is to design and apply algorithms for detecting deviated behaviors from normal ones. While our system also involves those two steps, a long-standing training phase is not a compelling need. More importantly, it provides a friendly interface allowing additional operations for enhancing system dependability and security. 5.1 Design rationale: a systematic overview The design rationale of RADAR is illustrated in Fig. 3: the network observations of interest are monitored and collected, preferably the ones occurring at different network layers, and the observations are then fed to reputation management system for deriving node reputation by calculating trust values (both local and global ones) as the definitions in Sect. 4.1; the reputation thus serves as a key metric for characterizing node behavior as input of 2

RADAR is an acronym denoting ReputAtion-based system for Detecting Anomalous nodes in wiReless mesh networks.

123

2226

Wireless Netw (2010) 16:2221–2236

Fig. 3 Design rationale of RADAR and its operation flows. The observations are monitored and collected from the network, and then fed to the reputation management module, which calculates reputation value for each node and generates normal profiles for the two anomaly detectors. The detection engine then outputs a set of

anomalous nodes to the response module after integrating the results of the dual anomaly detectors. Finally the response module heals anomalies as the detection alerts. The distribution of detection agents is not included in the current variant of RADAR

anomaly detectors, and a set of automated response rules/ pocilies are then used to handle anomalies reported by the detection engine. In particular, the implementation of RADAR relies on two functional modules: the first module is the monitor agent running on each mesh node (can be either mesh client or mesh router), and gathering interested observations from different protocol stacks for calculating and storing trust values. The agents exchange their opinions periodically or as required. The second module is the manager (preferably deployed on mesh routers) running detection engine based on the observations from agents. Moreover, Fig. 3 implies that the operation of RADAR basically undergoes two phases: training and testing. The training phase requires data collection and data cleaning (a simulator like the one proposed in Qiu et al. [25] is helpful), where data collection is to gain useful observations for building normal profiles, and data cleaning is posterior to the collection process to minimize the effects of nosing data on the accuracy of normal profiles. The testing phase then deals with real-time input. However, one significant fact is that WMN is such a complex system whose behavior is affected not only by external factors like topology updates and node mobility but also by internal factors such as link quality, signal interference, bandwidth, and so on. Although RADAR is specifically designed for detecting anomalies caused by intentional intrusions, the general design also allow it to diagnose anomalies resulted by accidental system faults. Architecturally, RADAR can be deployed either in centralized or distributed mode, which depends on the ratio between operational cost (storage, computation, response) and the overall communication cost, as well as the scale of WMN. In centralized mode, there are several reputation managers running detection engine, while distributed mode allows the detection engines to be collectively executed the majority of the network nodes. Thus, an automated deployment strategy is desirable for achieving the best trade-off between operational cost and detection

performance in term of detection accuracy, false positive rate, detection latency, resiliency to attacks [2, 28], and so on. The focus of paper is on the design of anomaly detection system, while the deployment issue is left as our future work.

123

5.2 Dual-core detection engine An observation-centric analysis in Zhang et al. [27] suggests that an ideal anomaly detection system should fully explore spatio-temporal properties of observable subjects by constructing both sequence-based and frequency-based detection models. Based on the analytical framework, we employ and integrate two light-weight anomaly detectors as the detection engine of RADAR. The first one, STIDE (Sequence TIme-Delay Embedding) [7], is a sequencebased anomaly detector aiming at exploring spatial property of node behavior associated with reputation. The second one is a frequency-based anomaly detector utilizing temporal property of the trust values assigned by each node. An integration and response module is then built upon detection engine for unifying the output of two anomaly detectors and taking appropriate actions to mitigate or countermine anomalies. 5.2.1 STIDE: a node-centric anomaly detector The original STIDE was designed for detecting anomalous system calls of UNIX OS by taking advantage of the ordering properties of system calls executed by privileged programs/processes [7]. Its principle is described as follows: STIDE acquires normal observations (sequential variables) by sliding a window of size ‘w’ over the training data, and stores these sequences in a normal profile. The detector then scans the testing sequences using the w-sized window, and notes the number of mismatches between sequences of the normal profile and that of the testing data. The number of mismatches occurring within a temporally

Wireless Netw (2010) 16:2221–2236

2227

local region (Locality Frame Count, or LFC for short) is used to represent the anomaly signal and determine the extent to which the testing sequences are anomalous.

N is a referral chain from Nr to No. This algorithm generally has two salient features,

Algorithm 1 TNC—Trust network construction

•

•

It does not need any extra computational cost and can be simply attached with a routing algorithm, The algorithm speed, convergence and accuracy can be simply controlled by parameters H and h.

For the two referral chains (or string) generated by Algorithm 1, Sx and Sy, where Sx = (x1, x2, …, xl), Sx = (y1, y2, …, yl), their similarity is defined as follows,  0 if xi ¼ yi ; for all i; 0  i  ðl  1Þ SimðSx ; Sy Þ ¼ 1 otherwise

In our scenario, one critical issue for STIDE’s operation is to acquire sensitive and robust observations with respect to node behavior for creating normal profiles. Since STIDE is essentially a string-based detector, we explore the sequential property possessed by a group of mesh nodes by taking advantage of their reputation dependency. In particular, we develop an algorithm (illustrated as Algorithm 1) to construct trust networks in terms of node reputation between a requesting node Nr and a target node No. In most cases, the algorithm outputs a referral chain consisting of a sequence of nodes (it does not necessarily contain No if the parameter H is not large enough to crawl to No from Nr.). However, a directed graph is possibly generated if multiple referral chains are available. In this case, another index LTS (Local Trust Sum) is introduced to aggregate the local trust values and serves a metric for selecting the referral P chain which has the maximum value, i.e., max i,j [ N Tl(i, j). Thus, the normal profiles are built supported by the following assumption. Assumption 1 For a referral chain between requesting node Nr and requested node No, the ordering of nodes it composes keeps stable over time. In particular, in Algorithm 1, T~g ðNr ; No Þ is a convex combination of the reputation (Ni to Nr) and the global trust values (Ni to No), which guides the secure construction of trust network in the presence of malicious collectives. H is searching depth, namely the number of hops away from the requester. h is a threshold for selecting a number of trustworthy neighbors toward No. If such nodes are not available, then the most reputable one is selected. So essentially

More specifically, we define N as a |N| 9 |N| (N is a set of mesh nodes) matrix where the element is NNr , No (the trust network with parameter Nr and No), that is, a sequence of nodes. Assuming NNr , No = (n1, n2, …, nx), and the size of a sliding window is set as DW = w, a set of sequences is then generated as {N1, N2, …, Nx-w?1}, where Ni = (ni, ni?1, …, ni?w-1). We assume another set of sequences {M1, M2, …, My}, where Ms = (ms, ms?1, …, ms?w-1), the similarity assigned to Ms is calculated as follows,  ^ s Þ ¼ 1 if SimðMs ; Ni Þ ¼ 1; for all i SimðM 0 otherwise: Locality frame count (LFC) with size L is defined as the follows. (P s ^ l Þ for s  L SimðM LFCðMs Þ ¼ Pl¼ððsLÞþ1Þ s ^ for s\L l¼1 SimðMl Þ As such, the similarity of two sequences of nodes are measured. Any anomaly signal in NNr , No thus can be detected with a given threshold. We can also calculate the global deviation DðNÞ by examining and aggregating all the local deviations d(NNr , No), as follows,  1 if DðNÞ  h ADðNÞ ¼ 0 otherwise where h is a threshold determining anomaly signal, tuning the trade-off between detection accuracy and false positive rate. Formally, the operating flow of STIDE-based anomaly detector can be given as Algorithm 2. Algorithm 2 STIDE-based anomaly detector

123

2228

Wireless Netw (2010) 16:2221–2236

(a)

Fig. 4 Relationship between the size of normal profile PSize and the variables L and w, which shows that the size of normal profile turns to larger as the increase of the referral chain and decrease of detection window

Furthermore, it is easy to figure out that the performance of STIDE associated with detection result and computational overhead largely relies on the size of normal profile PSize, which is dominated by three parameters, namely searching depth H in Algorithm 1, locality frame count L and detection window w (a detailed analysis on the selection of w is given in Tan and Maxion [20]). Intuitively, if we assume L B H, the size of normal profile can be simply calculated as PSize = L - w ? 1, which is illustrated by Fig. 4. (b)

5.2.2 Value-centric, clustering-based anomaly detector To complement the operation of STIDE, which primarily explores the ordering property and spatial dependence of the observations, we develop another detection algorithm for taking advantage of the temporal and frequency properties that implicitly posed by the observations. In partic!i ular, since each node i maintains a global trust value T g , we may use this value as a reference to observe the network status from node i’s perspective. More formally, we use Ok to represent the entire observation of all the network nodes in terms of trust values at a certain detection spot k, and its element is defined as follows, ok ði; jÞ ¼ c  Tgk ði; jÞ þ ð1  cÞ  ok ði; jÞ

ð6Þ

where Tgk ði; jÞ is the trust value of node i for node j at time k, c is a smoothing constant, and its impact on the decay of historic observations in shown in Fig. 5(b). This equation implies that the observations are updated in an EWMA (Exponentially Weighted Moving Average) way, which gives much more importance to recent observations whereas keeping historical observations, thereby capturing temporal attribute of observations. Also, this scheme is particularly useful for updating trust value, which usually has slight drifts. We then use vector set Vk to denote the update of observations Ok from Ok-1, where the binary element vk(i, j) is defined as follows,

123

Fig. 5 Creation, modeling and update of observations for clusteringbased anomaly detector

 vk ði; jÞ ¼

1 0

ifjok ði; jÞ  ok1 ði; jÞj [  otherwise

ð7Þ

Vki ¼ hvk ði; 1Þ; vk ði; 2Þ; . . .; vk ði; nÞi thus can be viewed as a point in a n - dimensional feature space F . With the above preliminaries, we have the following assumption to support the design of anomaly detection algorithms. Assumption 2 A node with anomalous behavior would cause the changing of the trust values that the rest nodes put on it, the points mapping in the feature space F would therefore shift correspondingly, and eventually fall outside of the regular patterns (clusters). Intuitively, a clustering algorithm can be applied here to pinpoint the anomalous points in feature space F . Thus, we introduce a local monitor window (LMW) to enable the algorithm to compare the points generated at the current detection window against those in the previous detection windows, that is, Vk against (Vk-l?1, Vk-l?2, …, Vk-1) with |LMW| = l, which is illustrated in Fig. 5(a). For example, if LMW = 6, the vectors in the 6 detection windows are used for correlation, and are compared with the

Wireless Netw (2010) 16:2221–2236

2229

clusters in previous 5 detection windows. The points which formulate new clusters are output for examination. While a variety of well-developed clustering algorithms are available, we prefer a simple, light-weight and fast iterative algorithm, which is a common method for K-means [8] initialization, or Lloyd’s algorithm [6]. This algorithm assumes each cluster has a centroid, the vectors lie in the cluster whose hub are closest to them. The algorithm starts with one cluster whose hub is randomly chosen, it then iteratively selects a vector that is furthest to its own hub as a new hub, and re-clusters all the vectors based on their distances to all the selected hubs. This process continues until there is no vector whose distance to its hub is larger than the half of the average hub-hub distance. In our scenario, the pre-trusted mesh nodes, particularly the ones running anomaly detectors, can be selected as a priori hubs. The distance between Vi and Vj can be calculated using a cosine distance metric as Eq. 8. dðVi ; Vj Þ ¼ cos1

Vi  Vj jVi jjVj j

ð8Þ

More formally, the operation of clustering-based anomaly detector is described as Algorthm 3.

Fig. 6 Operation mode of RADAR’s detection engine by integrating STIDE-based and clustering-based anomaly detectors

than the operation OR. Formally, we have an assumption about the integration of the two anomaly detectors. Assumption 3 Let Ria and Rif (i = 1, 2) denote detection accuracy and false positive rate respectively, the integration of the detection results may yield a bounded detection accuracy, i.e., j R1a  R2a j  Ra  R1a þ R2a , and the false positive rate Rf always lies in a range, Rf 2 ½j R1f  R2f j; R1f þ R2f . The integration operation is described as Algorithm 4. Algorithm 4 Detection engine integrating dual anomaly detectors

Algorithm 3 Clustering-based anomaly detector

Clearly the integration does not rule out the possibility that one of the anomaly detectors fails to work at a certain time or the occurrence of any asynchronous operation. It is clear that the performance of this algorithm is dominated by a set of parameters, that is, smoothing constant (or decay factor) c in Eq. 6, threshold e in Eq. 7, and the size of detection window LMW. For simplicity, we set P !  ¼ nj¼1 D T g ði; jÞ=n. 5.2.3 Integration of the two anomaly detectors Since the two anomaly detectors work independently with different operational environments, it is necessary to integrate their outputs together for achieving more accurate and reliable results. As shown in Fig. 6, RADAR basically has four operation modes: the two anomaly detectors either work simultaneously or in an asynchronous manner, and the detection results can be either intersected (OR operator) or united(AND operator). The RADAR prototype in this paper adopts synchronous operation in that it has less detection latency than asynchronous operation. In addition, the operation AND on the detection results may achieve broader detection coverage and higher false positive rate

5.3 Intrusion response Some appropriate reactive actions must be taken to eliminate or mitigate the intrusion impacts once the anomalous events have been detected. While our detection scheme can figure out one or a number of suspected nodes and allow the administrator’s to conduct further investigation and examination, an automated response is desirable which can enable the network to be self-healing. That is, nodes themselves should be aware of the anomalous peers and take corresponding actions (e.g., changing routing path, reducing trust values) to avoid the performance deterioration. One of the goals of RADAR is to assist existing layer protocols to behave in self-adaptive, dependable and secure manners. In this paper, we mainly examine the behavior of routing protocols. As each node maintains a local view on its neighboring nodes and a global view on an area with a radius H, they can always choose the most reputable nodes as the next hop for forwarding packets. For example, for a

123

2230

Wireless Netw (2010) 16:2221–2236

particular mesh node i, the local trust values Tl(i, j) can be used as an additional information to assist AODV to select !i its neighboring nodes. And the global trust values T g can be used to help OLSR to determine its MRP node set. As the trust values are attached to routing messages and do not need extra information exchange, the message complexity tend to be negligible. However, one possible negative effect is that the reputable nodes (not always the mesh routers) will attract more forwarding requests, potentially leading to its overload. Two measures thus can be used to alleviate such effects. First, the reputation is only considered upon the routing protocols, so it only enhances routing behavior instead of changing their functional principles. The most reputable node may not always be selected if it is not included in a route table towards a particular destination. Second, node i can be set to select its neighbors j probabilistically based on their trust values in accordance with the routing protocol (e.g., directly proportional to Tl(i, j)). This can avoid routing path through malicious nodes and balance the load of the whole network, meanwhile allows fresh nodes to build their reputation. Moreover, we can run Algorithm 1 Table 2 to obtain routing paths by setting Nr as the source node and No as the destination node. In this way, the node’s routing behavior is Table 2 Simulation settings

Network

Node

Attacks

Simulation

Parameters

123

essentially guided by a convex combination of local trust values and global trust values, i.e., T~g ðNr ; No Þ ¼ c  RNr Ni þ ! ð1  cÞ  Tg ðNi ; N0 Þ. This can work as a routing protocol for data delivery, like the one in Zouridaki et al. [30], whereas it may lead to extra computational cost and non-trivial message complexity. This paper does not intend to have comprehensive discussion on this issue. 5.4 Messages and their exchange From a functional perspective of RADAR, a WMN has two types of nodes: the node running detection engine, which is called detection agent, and the nodes that are monitored by a detection agent. So the messages traveling among the network generally fall into three categories, •

•

•

Msgc, which denotes the messages used for routing control and data transmission, including RREQ, RREP, RERR, and data packets; Msgq, which denotes the messages used for querying trust values for building trust networks (which is usually attached to Msgc); Msgr, which denotes the alarm messages originated from detection agents.

Area

1,000 m 9 1,000 m

Topology Placement of MR

Random Uniform

MAC

DCF of 802.11b

Routing protocol

DSR

# of nodes

30 (12 MR, 18 MC)

# of good nodes

23

# of malicious nodes

7

# of pre-trusted nodes

9

# of anomaly detectors

9

# of malicious collectives

3

Malicious collective (Atk0)

–

DoS (Atk1)

Packet dropping

Routing loop (Atk2)

Spoofing

# of simulation epochs

20

Training time:Testing time

5000 s:1000 s

Length of detection window (lDW) Impact factor a (Eq. 4)

20 s 0.4

Impact factor b (Eq. 5)

2

Impact factor c (Algorithm 1)

0.4

Threshold h (Algorithm 1)

0.6

Searching depth H (Algorithm 1)

4

Locality frame count L (Algorithm 2)

4

Detection window w (Algorithm 2)

3

Local monitor window LMW (Algorithm 3)

10

Smoothing constant c (Algorithm 3)

0.3

Wireless Netw (2010) 16:2221–2236

In a WMN, each node must update their global trust values periodically by sending requests to the interested nodes (local trust values are computed locally without further request). Also, at each detection window, a detection agent randomly sends Msgq to a number of other nodes for constructing trust networks as Algorithm 1, and the requested nodes are expected to return the results within a tolerable delay, usually a detection window. If a detection agent is aware of the existence of an anomalous node, it sends Msgr as intrusion evidence to all the nodes which lie in its coverage and are the neighbors of anomalous nodes. Note that in the current variant of RADAR, detection agents are deployed to a number of certain nodes with higher reputation and keep stable over the time. In a more advanced variant, detection agents should be automatically selected and changed periodically according to the network status.

6 Vulnerability analysis and security enhancement As reputation serves as the essential observation for constructing baseline of network normality, we must consider its attributes it term of efficiency, robustness and security. In particular, efficiency evaluates whether the trust values can be extracted and calculated in a fast manner; robustness means the normal updates of a small portion of mesh nodes should not cause sharp drifts of network normality, and; security ensures that the malicious nodes can not subvert reputation management scheme. More specifically, our design has high efficiency due to two facts. Firstly, the reputation can be used to characterize the individual behavior of mesh nodes and constitute a natural boundary for the whole network to reflect its normal activities. Secondly, the overhead on trust values in terms of calculation, storage, and communication is minimal, which dominates the response latency and detection cost of our system. In addition, we may integrate the trust values with an authentication scheme and employ a fault-tolerant mechanism as a basis for computing node reputation in order to enhance its dependability. In doing so, the reputation is resistant to manipulation and Byzantine failure of any witness of a particular mesh node, as the achieved consensus instead of simple aggregation of trust values is used to evaluate the reputation. Formally, for a node with n witnesses, the mechanism allows at most f of them to behave abnormally, where 3f ? 1 B n. Moreover, a preventive measure of malicious nodes was addressed in Sect. 4.1 (scheme M2 ), where a prior trustworthy nodes are assumed to exist. This is reasonable since a network administrator is always aware of the significance of the mesh node during network deployment stage, and

2231

some mesh nodes may have very small probability of being compromised due to their special location and configuration. The pre-trusted nodes thus serve as supervisor to monitor the network and participate in the secure computing of other node’s reputation. Furthermore, we need to specially address the storage of trust values. A node’s trust values must not be computed and stored at the node itself, avoiding any arbitrary operation. Also, a node’s trust values must be computed and stored in multiple places in case of any singular failure. In this sense, if a node needs the trust values of node i, it must query Mi witnesses of i. Here Mi is a variable relevant with the node’s reputation, and the higher reputation of a node the smaller Mi it has.

7 Performance evaluation This section reports the evaluation results of RADAR that operates in a classical WMN under a variety of attacks. 7.1 Simulation settings Our findings are based on simulations of a WMN network model using Qualnet [24]. The simulation scenario and settings are explained as follows and summarized in Table 2. Network model: We consider a typical WMN that consists of both mesh routers and mesh clients, and the network is randomly deployed in a space of 1,000 9 1,000 m2. In addition, the MAC layer works with DCF of IEEE 802.11b standard, and the network layer operates DSR routing protocol. Also, the application layer uses CBR for generating data packets (6/s), and 50 source-destination connections are randomly and periodically (10 s) generated among the nodes. Node model: The experimental network is consisted of 30 mesh nodes, 12 mesh routers and 18 mesh clients, in which 23 nodes are benign and 7 nodes are anomalous. Nine nodes are selected as pre-trusted nodes (all of them are mesh routers) with high reputation (0.99), and the initial reputation of the rest mesh routers is 0.80, that of MC is 0.50. We also intentionally create three malicious collectives to examine the performance of our scheme on detecting a group of malicious nodes subverting reputation management. In addition, we assume that all the nodes are location-aware and can be identified by IP addresses. For easier implementation and analysis, RADAR is distributed and equipped on 9 pre-trusted nodes, so there are totally 9 detection agents running detection algorithms. Attacks: While our scheme can work at different protocol layers, in the current experiment, we only examine several typical attacks that most likely happen in routing

123

2232

7.2 Findings and analysis We evaluated RADAR in terms of the introduced evaluation metrics. Above all, in order to examine the sensitivity and robustness of the reputation management for creating baselines of anomaly detection, we artificially create malicious collectives to subvert the computation of node’s reputation. Specifically, a number of nodes collude each other to arbitrarily manipulate their trust values, leading to the inaccuracy of node reputation, and eventually causing the scheme fail to detect out anomalous nodes. In our simulation setting, two groups of neighboring nodes (which are composed of 3 and 4 nodes respectively) form two malicious collectives and they combine together as another collective. 7.2.1 Detection accuracy versus false positive rate We firstly evaluate the performance of RADAR on detecting two typical attacks (Atk1 and Atk2 represented in Table 2) in term of detection accuracy and false positive rate. The results are characterized by ROC curve, a typical representation for IDS evaluation, in Fig. 7 by tuning up the threshold Rij. One probably argues that the curve is not close enough to the top-right-corner (the closer the better). In fact, this is largely due to the small size of simulation network and the small number of malicious nodes we set. So it is not a sound evidence to undermine the performance

123

1 0.9

Detection accuracy

protocols of WMNs. Also, in order to cover a large class of attack variants, we select attacks in terms of intrusion impacts and implement them using particular attacking techniques. For instance, as shown in Table 2, we simulate DoS attack (renamed as Atk1 for clearer illustration) using Packet Dropping. Specifically, the goal of Atk0 is to subvert reputation management so as to break our detection scheme, and Atk2 aims at compromising the routing protocol by creating routing loops. All the attacks are launched by the 7 anomalous nodes that we have previously selected. Evaluation metrics: A common criterion for evaluating anomaly detection system is the trade-off between the capability of detecting anomalies and the ability of suppressing false alerts. Besides this metric, in our experiment, we also examine the response latency and the scalability associated with the number of detection agents in terms of message complexity. The simulation generally contains two phases: training phase and testing phase, which last 5000s and 1000s respectively. The duration of detection window is set as lDW = 20s, so there are jDWj ¼ 5000 20 ¼ 250 detection windows in the training phase and jDWj ¼ 1000 20 ¼ 50 detection windows in the testing phase. Twenty simulation epochs were executed for getting averaged results.

Wireless Netw (2010) 16:2221–2236

0.8 0.7 0.6 0.5

Atk1 Atk1+Atk0 Atk2 Atk2+Atk0

0.4 0.3 0.2 0.1 0

0.2

0.4

0.6

0.8

1

False positive rate Fig. 7 Performance characterized by ROC for measuring RADAR’s detection accuracy and false positives

of RADAR, and we observe that the curve moves to the top-right-corner as the increase of network size. In addition, RADAR varies in its performance on detecting different attacks due to their intrinsic characteristics. 11 The simulation results show that Atk1 was easier to be detected than Atk2. In general, RADAR always detected Atk1 with higher detection accuracy and lower false positive rate than its detection on Atk2. For instance, when the false positive rate was kept to 0, 3 nodes launching Atk1 were detected, whereas only 2 nodes issuing Atk2 were detected. This is not surprising, since DoS attack was simply implemented by dropping data packets, and the malicious nodes discarding packets always gain negative trust values from their witnesses. Given sufficient time, all the malicious nodes launching DoS attack were detected out with low false positive rate. Compared with DoS attack, routing loop were always detected with higher false positive rate. One interesting discovery is that nodes launching DoS attacks were detected because of the decrease of their trust values. On the contrary, those nodes launching routing loop attacks were detected because their trust values did not change significantly, but the nodes which forward bad data packets (originated from malicious nodes with spoofing address) got negative values. So the irregular updates of these nodes’ trust values reveal the malicious nodes (mainly by clustering-based anomaly detector). We also noticed that RADAR was resilient to malicious collectives for subverting node’s reputation, as the detection performance on Atk1 ? Atk0 had no sharp deterioration than that on Atk1. However, we found that two cases of Atk2 ? Atk0 evaded the detection, and they were not discovered by RADAR until the false positive rate reached at 100%.

Wireless Netw (2010) 16:2221–2236

2233

7.2.2 Response latency In order to observe the response latency of our detection scheme, we set all the malicious nodes to launch attacks simultaneously, and recorded the time spot of attacks being detected for a simple comparison. The scheme was set with a maximum false positive rate to ensure that all the attack cases could be detected out. As shown in Fig. 8, the nodes launching Atk1 were generally detected earlier than the ones launching Atk2. For example, the first DoS attack was detected within the fourth detection window, while the first routing loop attack was detected when DW = 9. In addition, all DoS attacks were discovered before the 19th detection window, while routing loop attacks were not totally detected until DW reached to 27 (two malicious nodes were not disclosed during the whole testing stage when Atk2 was launched together with Atk0). Note that DoS attacks were detected at different time windows because the malicious nodes adopt different dropping rate, e.g., the first node drops all the packets, the second one drops one of every two packets, and the seventh node randomly drops one out of seven packets it has received. The reason of a larger latency on detecting Atk2 is same as previously explained, where the detection of a node triggering routing loop depends on the decrease of trust values of the victim which forwards bad packets rather than the malicious node itself. This process usually takes longer time than the decrease of a trust value of a node which simply drops packets. 7.2.3 Overhead and scalability Our scheme is distributed in principle, and all the nodes in the network can serve as detection agent for cooperative

anomaly detection. However, in practical implementation, we usually prefer the pre-trusted nodes and those who have more computational capacity to run detection engine. Also, since the size of msgq and msgr are much smaller than that of msgc, and the computational cost in terms of energy consumption is negligible compared to the transmission cost, we mainly examine the extra cost caused by additional message exchanges and define the detection overhead ratio as follows, n #ðmsg0 þ msg Þ X r Pn q dor ¼ ð9Þ i¼1 #msg i¼1 Note since msgq is usually attached to the messages msgc, we use msgq0 to denote the messages which are generated specifically for querying trust values and building trust networks, and msg represents all the messages traveling in the network. The results are visualized by Fig. 9, which illustrates that the value of dor decreases as the increasing number of detection agents and the size of detection window. In our simulation, the worst case occurred when three detection agents were active and worked with lDW = 10s. In this case, the active detection agents acted more frequently and sent out several times of messages than that of the other settings for querying trust values and building trust networks, and the value of dor remained lower than 25%. However, when the number of active detection agents increased to 9, and lDW is set as 10s, the value of dor was always less than 5%. The finding implies that an optimal detection overhead could be achieved by adjusting the number of detection agents and the duration of detection window. An automated deployment strategy for managing detection agents is therefore desirable for doing so. 0.25

7

Detection overhead ratio

# of detected nodes

6 5 4 3

Atk1 Atk1+Atk0 Atk2 Atk2+Atk0

2

0.2

# of AD = 9 # of AD = 7 # of AD = 3

0.15

0.1

0.05

1 0 0

0 0 10

20

30

40

50

10

20

30

40

50

60

Size of the detection window

# of detection windows Fig. 8 A comparison of response latency for observing RADAR’s capability on detecting different attacks

Fig. 9 Detection overhead ratio for examining the relationship between detection overhead and detection performance by varying the number of agents of detection engine

123

2234

Wireless Netw (2010) 16:2221–2236

7.3 Discussions The simulation results clearly demonstrated the satisfactory performance of RADAR in term of such key evaluation metrics for distributed anomaly detection system in WMNs. To make our simulation traceable and easier to capture micro-level observations, the simulation settings in Table 2 only represent a relatively small WMN. We then have also experimented with a larger network with hundred mesh nodes for obtaining macro-level discoveries, which generally showed that RADAR could still maintain the performance to an acceptable level, and most of our conclusions continue to hold. In addition, in the initial simulation settings the malicious nodes are a small fraction of the whole network (seven out of thirty). This is in fact a realistic setting as the size of WMN is usually not large in practice. Despite of this fact, we observed from the simulations with a larger network that the performance of RADAR, thanks to the robust reputation management scheme, did not deteriorate significantly in more hostile environments. Moreover, in the simulation, RADAR integrated dual anomaly detectors in a synchronous manner, and the detection results of two anomaly detectors were intersected (operator AND) for suppressing false positives (as operation modes shown in Fig. 6). To examine the effect of OR operation, we conducted a set of simulations and compared the results with the ones by AND operation. As Fig. 10 shows, the detection with AND operation generally has higher detection accuracy and higher false positives than that of OR operation. Again, due to the small portion of malicious nodes, the two operations did not reveal significant difference on detection performance in terms of detection accuracy and false positive rate. However, the findings did validate Assumption 3, which suggests that a

8 Conclusion This paper proposed a reputation-oriented anomaly detection scheme, which is named RADAR, for diagnosing anomalous mesh nodes in WMNs. In general, RADAR has the following salient features,

1 0.9

Detection accuracy

cross-over operation between AND and OR operators enable RADAR to achieve higher detection accuracy and lower false positives. Furthermore, in order to overcome the vulnerabilities of RADAR resulted by the underlying reputation management, a number of countermeasures are presented in Sect. 6 for security enhancement. One may argue that additional measures would lead to extra computational overhead, since more messages would be generated by the nodes to exchange their opinions for behavior characterization and reputation management. Our simulation with a fairly moderate communication traffic, however, demonstrated that the overhead regarding secure operations is minimal. Generally, it decreases as the overall traffic load of the network increases. And certainly, the deployment of detection agents also affect the computational cost (as discussed in Sect. 7.2.3), which will be further explored in our future research. Finally, although our simulation only considered two attack variants, i.e., DoS attack and routing loop, the other attack variants can be detected as well, as long as their consequence is on compromising node’s packet forwarding behavior, such as backhole and worm hole attacks. This is because that our design focuses on attack consequence instead of specific attack behavior, enabling RADAR to detect a large class of attack instances including the novel ones. The design assumptions presented in Sect. 3 potentially limit RADAR’s detection on identity-related attacks, like sybil attack, but secure and dependable reputation management somehow protect RADAR from such attacks.

0.8

•

0.7 0.6

Atk1(AND) Attk1(OR) Attk2(AND) Attk2(OR)

0.5 0.4 0.3 0.2

• 0

0.2

0.4

0.6

0.8

1

False positive rate Fig. 10 A comparison of RADAR’s detection performance using operator AND and OR respectively for integrating anomaly detectors

123

Reputation is used to evaluate and represent each node’s behavior by abstracting and examining appropriate observations, e.g., data packets; a secure and dependable reputation management mechanism is then applied to define, quantify and propagate the trust values of each nodes, ensuring the robustness and accuracy of the normal profiles that are fed to the anomaly detection engine; Two light-weight anomaly detectors were employed and integrated as a dual-core detection engine, capturing behavior drifts of the mesh nodes in terms of reputation by exploring the temporal and spatial properties respectively. The seamless integration enables the two detectors to complement each other for achieving higher

Wireless Netw (2010) 16:2221–2236

•

detection accuracy and lower false positive rate than that of independent operations of anomaly detectors. The decentralized architecture allows RADAR to fully distribute its detection engines in a WMN with the major concern of trade-off between detection performance and detection overhead.

In addition, a RADAR prototype was developed and implemented in a WMN using DSR protocol, with the goal to detect misbehaving nodes that violate routing mechanisms at network layer. This research can be viewed as the first step towards a general troubleshooting framework for WMN, aiming at diagnosing anomalous events that occur at both mesh nodes and communication links, and resulted by both intentional attacks and accidental system failures. We are interested in broadening RADAR’s detection coverage to the other layers, e.g., MAC, PHY, by observing and correlating the cross-layer anomalies. We also intend to extend our scheme to MANETs by examining its fundamental difference with WMNs, e.g., nodes mobility. Another challenging issue that is worthy of further exploration is to automatically deploy anomaly detection engines in an optimal manner for achieving the best trade-off between detection cost and detection performance.

References 1. Akyildiz, I. F., & Wang, X. (2005). Wireless mesh networks: A survey. Computer Networks, 47, 445–487. 2. Baras, J. S., Radosavac, S., et al. (2007). Intrusion detection system resiliency to byzantine attacks: The case study of wormholes in OLSR. In Proceedings of MILCOM2007. 3. Buchegger, S., & Le Boudec, J.-Y. (2009). Self-policing mobile Ad-Hoc networks by reputation systems. IEEE Communications Magazine, 43(7), 101–107. 4. Buchegger, S., & Le Boudec, J.-Y. (2002). Performance analysis of the CONFIDANT protocol. In Proceedings of 3rd ACM MobiHoc’02 (pp. 226–236). Lausanne, Switzerland, June 2002. 5. Chartrand, G., Kubicki, G., & Schultz, M. (1998). Graph similarity and distance in graphs. Aequationes Mathematicae, 55(12), 129–145. 6. Du, Q., Emelianenko, M., & Ju, L. (2006). Convergence of the Lloyd algorithm for computing centroidal Voronoi tessellations. SIAM Journal of Numerical Analysis, 44, 102–119. 7. Forrest, S., Hofmeyr, S. A., & Longstaff, T. A. (1996). A sense of self for UNIX processes. In Proceedings of IEEE Symposium on Security and Privacy (S&P’96) (pp. 120–128). Oakland, USA. 8. Gersho, A., & Gray, R. (1992). Vector quantization and signal compression. Norwell, MA: Kluwer Academic Publisers. 9. He, Q., Wu, D., & Khosla, P. (2004). SORI: A secure and objective reputation-based incentive scheme for ad hoc networks. In Proceedings of IEEE WCNC’04 (pp. 825–830). Atlanta, USA, Mar. 10. Hu, Y., Johnson, D., & Maltz, D. (2003). The dynamic source routing protocol for mobile ad hoc networks (dsr). http://www. ietf.org/internet-drafts/draft-ietf-manet-dsr-09.txt, Apr. 2003. 11. Huang, Y., & Lee, W. (2003). A cooperative intrusion detection system for ad hoc networks. In Proceedings of the ACM

2235

12.

13. 14. 15.

16.

17. 18.

19.

20.

21.

22.

23.

24. 25.

26.

27.

28.

29.

30.

Workshop On Security in Ad Hoc and Sensor Networks, Fairfax, Virginia, Oct., 2003. Marti, S., Giuli, T. J., Lai, K., & Baker, M. (2000). Mitigating routing misbehavior in mobile ad hoc networks. In Proceedings of 6th ACM MobiCom’00. (pp. 255–265). Boston, USA, Aug., 2000. Marti, S., & Molina, H. G. (2006). Taxonomy of trust: Categorizing P2P reputation systems. Computer Networks, 50, 472–484. McHugh, J. (2001). Intrusion and intrusion detection. IInternational Journal of Information Security, 1(1), 14–35. Michiardi, P., & Molva, R. (2002). CORE: A collaborative reputation mechanism to enforce node cooperation in mobile ad hoc networks. In Proceedings of the 6th IFIP Conference on Security Communications, and Multimedia (pp. 107–121). Portoroz, Slovenia, Sept., 2002. Mishra, A., Nadkarni, K., & Patcha, A. (2004). Intrusion detection in wireless ad hoc networks. IEEE Wireless Communications, 11, 48–60. Salem, B., & Hubaux, J.-P. (2006) Securing wireless mesh networks. IEEE Magaine on communication, pp. 50–55, Apr., 2006. So, J., & Vaidya, N. (2004) Multi-channel MAC for ad hoc networks: Handling multi-channel hidden terminals using a single transceiver. In Proceedings of the 5th ACM MobiHoc’04 (pp. 222–233). May, 2004. Sundaresan, K. Sivakumar, R., Ingram, M. A. & Chang, T.-Y. (2004). A fair medium access control protocol for ad hoc networks with MIMO links. In Proceedings of INFOCOM (pp. 2559–2570). Mar., 2004. Tan, K. M. C., & Maxion, R. A. (2002). Why 6? Defining the operational limits of stide, an anomaly-based intrusion detector. In Proceedings of the 2002 IEEE Symposium on Security and Privacy (S&P’02), May, 2002. Tseng, C. H., Wang, S. -H., Ko, C. & Levitt, K. (2006). DEMEM: Distributed evidence-driven message exchange intrusion detection model for MANET. In Proceedings of the 9th International Symposium on Recent Advances in Intrusion Detection (RAID 2006) (pp. 249–271). Sept., 2006. Kamvar, S. D., Schlosser, M. T., & Molina, H. G. (2003). The EigenTrust algorithm for reputation management in P2P Networks. In Proceedings of the 12th International conference on World Wide Web (WWW’03). May, 2003. Kodialam, M., & Nandagopal, T. (2005). Characterizing the capacity region in multi-radio multi-channel wireless mesh networks. In Proceedings of the 11th ACM MobiCom (pp. 73–87). Aug., 2005. The Qualnet simulator from Scalable Networks Inc. http:// www.scalable-networks.com Qiu, L. Bahl, P., Rao, A., & Zhou, L. (2006). Troubleshooting wireless mesh networks. ACM SIGCOMM Computer Communication Review, 36(5), 17–28. Zhang, Y., Lee, W., & Huang, Y. (2003). Intrusion detection techniques for mobile wireless networks. ACM Wireless Networks Journal, 9(5), 545–556. Zhang, Z., Shen, H., & Sang, Y. (2007). An observation-centric analysis on the modeling of anomaly-based intrusion detection. International Journal of Network Security, 4(3), 292–305 Zhang, Z., Ho, P-.H., & Naı¨t-Abdesselam, F. (2009). On achieving cost-sensitive anomaly detection and response in mobile Ad Hoc networks, In Proceedings of IEEE International Conference on Communications (ICC’09), June 2009. Zhou, L., & Hass, Z. (1999). Securing ad hoc networks. IEEE Network Magazine Special issue on network security, 13(6), 24–30. Zouridaki, C., Mark, B. L., Hejmo, M., & Thomas R. K. (2007). Hermes a quantitative trust establishment framework for reliable

123

2236 data packet delivery in MANETs. Journal of Computer Security, 15(1), 3–38.

Author Biographies Zonghua Zhang has been working at Institut Telecom/ TELECOM Lille1, France since April 2010. Previously, he was an expert researcher at the Information Security Research Center of NICT, Japan from April 2008 to April 2010. Even earlier, he spent two years for post-doc research at the University of Waterloo, Canada and INRIA, France after earning his Ph.D. in Information Science from Japan Advanced Institute of Science and Technology (JAIST) in March 2006. Zonghua also obtained a M.Sc. degree in Computer Science and a B.Sc. degree in Information Science from Xidian University, China in 2003 and 2000 respectively. His research embarked on Elliptic Curve Cryptography and security evaluation, and is now focused on network forensics analysis and reputation/ security management. Pin-Han Ho received his B.Sc. and M.Sc. degree from the Electrical Engineering department in National Taiwan University in 1993 and 1995, respectively, and Ph.D. degree from Queen’s University at Kingston at 2002. He is now an associate professor in the department of Electrical and Computer Engineering, University of Waterloo, Canada. Professor Pin-Han Ho is the author/ co-author of more than 150 refereed technical papers, several book chapters, and the co-author of a book on optical networking and survivability. His current research interests cover a wide range of topics in broadband wired and wireless communication networks, including survivable network design, wireless Metropolitan Area Networks such as IEEE 802.16 networks, Fiber-Wireless (FIWI) network integration, and network security. He is the recipient of

123

Wireless Netw (2010) 16:2221–2236 Distinguished Research Excellent Award in the ECE department of U of Waterloo, Early Researcher Award (Premier Research Excellence Award) in 2005, the Best Paper Award in SPECTS’02, ICC’05 Optical Networking Symposium, and ICC’07 Security and Wireless Communications symposium, and the Outstanding Paper Award in HPSR’02. Farid Nait-Abdesselam obtained his engineering degree in Computer Science from University of Sciences and Technologies Houari Boumediene (USTHB) Algiers, Algeria, in 06/ 1993 and a master degree in Computer Science from University of Paris Descartes—France, in 09/1994. After two years spent in the industry working as a software engineer, he joined the University of Versailles Saint Quentin, (UVSQ) France in 01/ 1996, and got his PhD degree in Computer Science in 01/2000. During the year of 1998, he worked as an associate researcher at University of Western Ontario, London Ontario Canada, on distributed interactive virtual environment and multimedia communications over ATM networks. From 09/1999 to 08/2000 he was an assistant professor at University of Sciences and Technologies of Lille—France. From 09/2000 to 08/2003 he worked as an associate professor at INSA of Lyon and a research member of INRIA Rhoˆne Alpes. Since 09/2003 he is an associate professor at University of Sciences and Technologies of Lille and till 09/2007 a research member of the INRIA Lille Nord Europe. His research interests lie in the field of computer and communication networks with emphasis on architectures and protocols for quality of service and security in IP based networks, mobile ad-hoc, sensor, vehicular, and mesh networks, and overlay networks. Farid Nait-Abdesselam is on the editorial board of Wiley Int. J. of Communication Systems, Int. J. of Internet Protocol Technology, Int. J. of Ad Hoc and Ubiquitous Computing and Int. J. of Computer Networks and Distributed Systems. He has been on the technical program committee of different IEEE and ACM conferences, including GLOBECOM, ICC, LCN, and MSWiM, and regularly invited to chair some of their sessions. He is chairing/has chaired the IEEE International Workshop on Wireless Local Networks, the IEEE/ACS International Workshop on Internet Services, and the International Workshop on Peer to Peer Networking. He has served as Editorial Liaison chair of the IEEE LCN Conference, and publicity co-chair of many conferences. Farid Nait-Abdesselam is a member of the IEEE, IEEE Communications Society, and IEEE Computer Society.