Intrusion Detection Techniques in
Mobile Ad Hoc and Wireless
Sensor Networks - IEEE October
2007
CMSC 681 - Advanced Computer
Networks
Oleg Aulov
MANET and WSN
 No wires, Limited battery life, Limited memory
and processing capability
 No base stations, Mobile nodes, Nodes relay data
(act as routers)
 Usually no centralized authority
 Deployed in adverse or hostile environment
 Prevention sec.-key distrib. Mgmt. schemes doesn’t work once the node is compromised and
the secrets leak. Insiders can cause greater
damage.
IDS-second line of defence
 IDS - dynamically monitors the system to detect
compromise of confidentiality, availability and
integrity.
 Two common types  misuse based - stores database of known attacks
 anomaly based - creates normal profile of system states
or user behaviors (difficult to built, mobility challenges)
 Specification based - manually developed specs,
time-consuming
ID in MANET - attacks
 Routing logic
compromise blackhole, routing
update storm,
fabrication,
 Traffic Distortion dropping, coruption,
flooding
 Others - rushing,
wormhole, spoofing
MANET - Existing ResearchZhang et al
 Agent attached to each node, performs ID &
response individually
 Unsupervised method to construct & select feature
set (dist, velocity, # hops, etc)
 Pattern classification problem - apply
RIPPER(decision tree for rule induction) & SVM
Light (support vector machine, when data cannot
be classified by set of features) algorithms
 Post Processing - to eliminate false alarms
MANET - Existing Research
Huang et al
 Cross-Feature Analysis-learning based method to
capture correlation patterns.
 L featires - f1,f2,…,fL
 fi - feature characterizing topology or route
activities
 Solve classification problem  Create Set Ci:{f1,…,fi-1,fi+1,…,fL}, used to
identify temporal correlation between one feature
and all the other features.
 Ci - very likely to predict in normal
circumstances, very unlikely during attack
MANET - Existing Research
Huang and Lee
 Collaboration with neighbors - broader ID range - more
accurate, more information bout attacks
 Cluster based detection scheme - FSM - Initial, Clique,
Done, Lost
Ad hoc On Demand Distance Vector (AODV) algorithm
 EFSA - detect state and transition violations
 Specification based approach, detects abnormal patterns
and anomalous basic events.
MANET - Existing Research
Marti et al
 Watchdog and Pathrater to identify and respond to routing
misbehaviors.
 Each node verifies that his data was forwarded correctly.
DSR - dynamic source routing
 Rate routes and use more reliable ones.
MANET - Existing Research
Tseng et al




Based on AODV - specification based ID
Detects run time violations
FSM - specify behaviors of AODV
Maintain RREP and RREQ messages
MANET - Existing Research Sun
et al
 Use Markov Chains to characterize normal behaviors
 Motivated by ZBIDS (zone based) - locally generated
alerts inside the zone
 Gateway Nodes - broadcast alerts within the zone
 IDMEF (message exchange format) - presented to facilitate
interoperability of IDS agents.
ID in WSN
Secure Localization
 GPS not feasible
 Utilization of beacon packets and beacon nodes
 Du et al - utilize deployment knowledge to
confirm beacon integrity
 Liu et al - filter out malicious location references
using
 Mean square error
 Compute inconsistency
 Voting based location estimation
Secure Aggregation
 Wagner - robust statistics for resilient aggregation,
truncation, trimming
 Yang - Secure Hop by Hop Aggregation Protocol
(SDAP)
 Divide and conquer
 Commit and attest
 Grubbs’ test
Buttyan - RANSAC paradigm for resilient aggregation.
maximum likehood estimation
Future Research Directions
 Extended Kalman Filter Based
Aggregation - light weight
solution for estimation of
neighbor monitoring features
 Integration of Mobility and ID
in MANET - consideration to
use link change rate as an
indication of mobility.
 Collaboration of IDM and SMM
(sys. Mon.) - to address a
problem of detecting abnormal
event vs. false alarm. - ask the
surrounding nodes to confirm
Questions ???