Mobile Agents-Based Intrusion Detection System for Mobile Ad Hoc ...

1 downloads 0 Views 260KB Size Report
Abstract: The thesis proposed an Agent-based Intrusion. Detection Model of Mobile Ad Hoc Network that forms a cluster-head-centered backbone network by ...
2010 International Conference on Innovative Computing and Communication and 2010 Asia-Pacific Conference on Information Technology and Ocean Engineering

Mobile agents-based intrusion detection system for mobile ad hoc networks Yinan Li

Zhihong Qian

School of JiLin University of Communication Engineering

School of JiLin University of Communication Engineering

ChangChunˈJiLin China

ChangChunˈJiLin China

E-mail:[email protected]

E-mail:[email protected]

Abstract: The thesis proposed an Agent-based Intrusion Detection Model of Mobile Ad Hoc Network that forms a cluster-head-centered backbone network by using a decision mode of joint detection used among cluster heads and vote by ballot in partial cluster heads to execute total network intrusion detection. The model has advantages of simple structure and short computing time; meanwhile, the model can save more network bandwidth and power consumption while ensuring higher detection rate. Simulation test results verify availability of this solution.

nodes cooperative detection will be excited as exceptional data found, and then determine that whether intrusion is occurred or not. The solution has two advantages: (1) having raised a structure of distributed cooperative intrusion detection, using the IDS Agent distributed in each node to independently complete local detection and cooperatively complete overall detection, which applies to the characteristics of self-organization of the Mobile Ad Hoc Network. (2) Adopting multilayer integrated intrusion detection, which improves detection efficiency. Meanwhile, there are two disadvantages: (1) adopting exceptional detection mode should be made training on sampling data previously, which does not apply to multivariate application scene of the Mobile Ad Hoc Network. (2) The Agent runs on each node, which will occupy excessive resources. Such distributed IDS system structure is more suitable for plane MANET. Oleg Kachirski and Ratan Guha brought an intrusion detection solution based on mobile Agent [4]. They considered that every node has an Agent in Yongguan Zhang’ solution occupies the network resource excessively. In order to save the resources, the Agent of monitoring network was remained only on certain nodes, and the quantity of the Agent can be increased or reduced by requirements, thus proposing an IDS structure running under diverse audit data. This kind of structure has more excellent extensibility. Huang Yian et al proposed to limit intrusion detection to certain node [5] and reduce application of system resource in IDS so as to improve the availability, which can be used to multilayer MANET system. Chin Yang Tseng et al brought specification-based intrusion detection solution [6], which had higher detection rate and lower false alarm rate, but its availability couldn’t pass through the experimental verification. Rajavar and Shah put forward a network-information-based intrusion detection system [7]; because every hop needs to detect data pack, detection efficiency is much lower; and the solution causes a waste of resource. YI Ping et al raised a timed-automata-based intrusion detection algorithm [8], which does not need previously execute data training but can detect intrusion activity in real time by using the timed automata to analyze node’s activity.

Key words : communications technology Agent IDS

Ad Hoc network

ĉ. OVERVIEW The Mobile Ad Hoc Network (MANET) is a multi-hop temporary autonomous system comprising a range of mobile terminations with wireless transmitter, maintaining network interconnection and data transmission by limitedly moving interaction and self-organization among nodes within transmission range. In practical application, the network can be fast laid and configured; for this reason, the network can be widely used for scene dispatch of emergency accident, military tactics communication, cooperative mobile communication, and wireless access system, etc.[1] Because the Mobile Ad Hoc Network has characteristics of wireless connected signal channel, autonomous mobile node, network topology in dynamic change and weak security authentication mechanism; in addition, it is easier to suffer various security threats and attacks form passive eavesdropping to active impersonation, message playback, message falsification, and denial of service, etc. [2] Therefore, the Intrusion Detection System (IDS) comes into the second firewall of network security solution. Ċ. RESEARCH SITUATION Yongguang Zhang et al firstly proposed an Agent-based distributed cooperative intrusion detection solution [3]. For the solution, IDS Agent is run in each node of network, and has six great module functions. Firstly, local data collection and detection are executed in the node. The total network multiple 978-0-7695-3942-3/10 $26.00 © 2010 IEEE DOI 10.1109/CICC-ITOE.2010.45

145

ċ. IDS in MANET [9]

The IDS in MANET can be divided into three structures . (1) Isolated IDS. In this architecture, every host has IDS, and the IDS detects attacks independently. There is no mutual cooperation among nodes; all decisions depend on local nodes. Although this architecture is not very available, it can be applied to an environment that not all nodes can run the IDS. (2) Plane structure. In the IDS of such structure, every node executes the intrusion detection by gathering local data firstly. If any intrusion activity is found, the node will send broadcast signal to notify the neighbor nodes and excite response of total network to execute the intrusion detection. (3) IDS of hierarchical structure separates the whole MANET into multiple IDS clusters by clusters; and the intrusion detection activity is executes by cluster head. Hierarchical structure of IDS system has excellent network extensibility and little network control overhead, which can realize distributed intrusion detection and is appropriate for network characteristics of the MANET. The host IDS can effectively distinguish and report information of attacks in the system. Local response module can rationally distribute algorithm resource based on priority of alarms, which not only improves rate of accuracy and save energy, but also eases situations of network congestion. Researching object of this thesis is the hierarchical structure of IDS system, which is shown as figure 1, the following text does not make further explanation.

Figure 1 Hierarchical structure of IDS system

Č. STRUCTURES of SYSTEM MODEL 4.1 Partitions of clusters Generation and maintenance of hierarchical structure of the Mobile Ad hoc Network are completed by clustering algorithm; performance (good or bad) of algorithm directly affects performance of application system. Clustering algorithm generally comprises generation of cluster and relevant maintenance policies of the cluster. The generation of cluster consists of partitions of cluster and cluster-head selection algorithm. Once the cluster is generated, which means having entered into maintenance stage of cluster. The maintenance of cluster is a process keeping clustering structure when network environment changes according to certain requirements of rules. Designing clustering algorithm is mainly to build an

interconnected cluster set that can cover the whole user node and can well support resource management and routing protocol. As fundamental algorithm of hierarchical networking mechanism in the hierarchical structure of Mobile Ad hoc Network, the performance (good or bad) of cluster algorithm will generate significant impact on performance of the whole system. Good-performance clustering algorithm has certain stability on node’s activity; while only few nodes are moving and topology changes much slowly, the clustering mechanism should keep original structure as much as possible and only execute clustering adjustment aiming at changed part in order to reduce overhead caused by regenerating clusters, thus improving overall efficiency of the network. Simultaneously, clustering algorithm must meet the real-time capability of system; otherwise the algorithm cannot be restrained and be difficult to build effective hierarchical structure [10]. In analyzing the following text, the following conditions are always supposed true: (1) Every node has unique ID; the node can obtain all neighbor nodes’ ID by way of broadcast packet; (2) The node can always exactly receive neighbor nodes’ data pack; (3) The network model meets momentary static model. 4.2 Detailed process of partitions of clusters (1) The total network makes a broadcast, so that every node has unique ID mark of the total network and obtains the neighbor nodes’ matrix; (2) If the node’s ID number is the smallest among the neighbor nodes’ ID number, a new cluster is announced to be true, and the node its own will become the cluster head, otherwise executing the third step and the fourth step; (3) Waiting until receiving the news of new cluster establishing among neighbor nodes, joining in the cluster and broadcasting the news; (4) In third step, if it is found that the neighbor nodes whose ID number is small have joined into other clusters, then a new cluster is announced to be established, and the node own becomes the cluster head. 4.3 Intrusion detection based on the Agent The existed detection solution is an IDS model based on abnormal detection. It uses parameter-abnormal detection technology. The IDS Agent runs on each node, executing data gathering and detection function. When it is found that local data is abnormal, or receiving abnormal report from neighbor nodes, cooperative detection among the nodes and total network intrusion detection will be triggered [11]. Shortcomings of the solution are obvious: the IDS Agent runs on each node, which greatly consumes energy of each node and shortens the service life of total network. The design philosophy of this solution is an intrusion detection system taking cluster head as detection unit based on the Agent, that is, dividing network by proper clustering algorithm and activating the Agent system on cluster-head node at the same time. When the cluster-head node has identified that intrusion activity is occurred in the cluster according to local data gathering and characteristics comparison, the cluster-head

146

node will make screening treatment on corresponding intruded malicious nodes; when the cluster-head node can not make sure that whether certain node is occurred intrusion activity or not, it will trigger the joint detection among the cluster heads by using a way of partial voting to determine malicious nodes and notify other nodes in the network. This solution changes the way that original total network collective voting determines the intrusion activity; under the condition of ensuring detection rate is unchanged, effectively reducing energy consumption of the node, saving network resource, and prolonging the running service life of the total network. The main process of this model is shown as figure 2.

Figure 2 Process of Intrusion Detection

Functions of each module are as the following: (1) Local data gathering: receiving data deliver by node in cluster, monitoring local data (such as obtaining message, monitoring update of route table and so on), classifying and computing the gathered data, etc. (2) Local detection: analyzing data, determining whether is intruded or not, triggering the joint detection application if necessary. (3) Local response: determining response strategy, broadcasting in the cluster. Possible response policies comprise reinitialized certificate information, reinitialized signal path, and blacklist operation, etc. (4) Network joint detection: when local cluster-head node can not determine intrusion, the joint detection request will be triggered to ask for other clusters to male joint detection. Trigger rule means all cluster-head nodes taking certain natural number as hop. The cluster head receiving joint detection request makes determination by analyzing data in the cluster of its own, and gives determination on possibility of attack. The cluster head launching joint detection request uses weighted algorithm to determine whether local intrusion is occurred based on results returned from other cluster-head nodes by principle of that the minority is subordinate to the majority. (5) Network response: for determined as intrusion-occurred node, making total network blacklist broadcasting.

virtual backbone network; (2) Activating the Agent in cluster-head node, gathering data from all nodes in the cluster and extracting characteristics for making analysis on intrusion detection; (3) If the Agent in cluster-head node found that the node in the luster has been obviously intruded by chrematistics comparison, the Agent will screen the node and notify other nodes in the cluster by broadcasting, and the nodes in the cluster will screen the node after receiving the alarm; (4) If the Agent in cluster-head node found abnormal data but can not determine whether intrusion is occurred or not, it will select a natural number as hop radius, and send joint detection request to all cluster-head nodes in range of this hop radius; (5) When corresponding cluster-head nodes receive the request, they will make joint intrusion detection analysis on the abnormal data sent, determine whether the intrusion is occurred, and make voting treatment by principle of that the minority is subordinate to the majority. If majority cluster-head nodes consider that the intrusion is occurred, the Agent will notify the cluster-head node of the cluster where the node is in, to make screen treatment; (6) When the Agent in cluster-head node has determined data of other cluster-head nodes is abnormal, it will also make the same treatment according to steps above-mentioned. If it is determined that certain cluster-head node own is intruded by voting, the Agent will notify other cluster-head nodes to screen the cluster-head node by broadcasting, and will split and merge the cluster where the cluster head is in or revote a new cluster head by clustering algorithm. č. SIMULATION RESULTS and ANALYSIS This thesis selects NS-2[12] software to make simulation test on the model. Without considering conditions of packet transmission error and influence of packet conflict on partitions of clusters, the thesis measures the four primary parameter indicators, including detection rate, false detection rate, overhead of route packet and average latency. Test parameter settings are shown as the table 1. Table ĉ Parameter Number of nodes Simulation area(m2) Simulation times(s) Routing protocols MAC type Movement model Transmission range(m) Maximum speed(m/s) Packet size(B) Packet rate(pps) Types of attacks

The results are shown

4.4 The process of algorithm is described as the following: (1) Through proper clustering algorithm to divide the total network into several clusters, the cluster-head nodes form

147

Preferences of NS-2 Value 200 1000 x 1000 1200 AODV IEEE802.11 Random waypoint 250 20 256 4 Ah hoc flooding

REFERENCES

(a) Detection rate

(b) False detection rate

[1] IEEE 802.11. Standard Specifications for Wireless Local Area Networks[EB/OL]. (1999-11). http://standards. ieee.org/wireless/. [2] Luo H, Zerfos P, Kong J, et al. Self-securing Ad Hoc Wireless Networks[C].//Proc of the 7th IEEE Symposium on Computers and Communications. 2002. [3] Yongguang Zhang ,Wenke Lee. Intrusion detection in wireless Ad Hoc networks[A].//Proc of The Sixth International Conference on Mobile Computing and Networking [C].Boston ,MA ,2000.275 - 283. [4] Guha R, Kachirski O, Schwartz D G. Case-based Agents for Packet-level Intrusion Detection in Ad Hoc Networks[C]//Proceedings of the 17th International Symposium on Computer and Information Sciences. 2002. [5] Huang Yian, Lee W. A Cooperative Intrusion Detection System for Ad Hoc Networks[C]//Proceedings of the ACM Workshop on Security of Ad Hoc and Sensor Networks. 2003. [6] Tseng Chin-Yang. A Specification-based Intrusion Detection System for AODV[C]//Proc. of the ACM Workshop on Security of Ad Hoc and Sensor Networks. 2003. [7] Rajavaram, Sowjanya and Hiren Shah, Neighborhood Watch: An Intrusion Detection and Response Protocol for Mobile Ad Hoc Networks[R], UMBC, 2002 [8] Ping Yi, Zhong,Shiyong Zhang.Real time protocol analysis for detecting routing attacks in mobile Ad Hoc networks [A].Fifth IEEE International Symposium and School on Advance Distributed Systems(ISSADS2005)[C].Lecture Notes in Computer Science, Guadalajara, Jalisco,México,January 2005. [9] Wang Ru-chuan,Wang Hua,Xu Xiao-long, Research on intrusion detection system based on mobile agent [J] ˈ Journal of China Institute of Communicationsˈ2004ˈVol.25 No.1 [10]Cheng Wei-ming, Zhou Xin-yun. A Clustering Algorithm for Mobile Ad-Hoc Network [J]. Chinese Journal of Computers, 2005(5):864-868. [11]Nian Liu,Sunjun Liu,Rui li,Yong Liu,A Network Intrusion Detection Model Based on Immune Multi-Agent[C], Communications, Network and System Sciences, 2009(6):569-574 [12]Ns2 network simulation [OL] http ://www.isi.edu/nsnam/ns , 2006

Viewing from simulation results of figure (a) and (b), with increasing amount of malicious nodes in the network and generation of large-scaled intrusion events, numerous IDSs will generate a large number of alarms and cause alarm flood, thus occupying a large number of communication broadband and affecting normal network communication, and the integrity of the network presents down trend. The IDS of the thesis proposed can effectively distinguish and report information of attacks in the system, local response module can rationally distribute algorithm resource according to priority of alarm, which not only improves rate of accuracy and save energy, but also eases situations of network congestion. The test verifies that the model has high detection rate by more than 90%, and the false detection rate keeps below 10%, thus verifying the efficiency of the solution. Ď. CONCLUSION The thesis brought an intrusion detection model of Agent-based Mobile Ad Hoc Network, forming a cluster-head-centered virtual backbone network, using a decision mode of joint detection among cluster heads and vote by ballot in partial cluster heads to make total network intrusion detection. This model has advantages of little route overhead, little system resource occupied, short algorithm time; meanwhile, the model has high detection rate, and effectively reduce false detection rate. The simulation test has excellently verified the characteristics above-mentioned.

148