Evolving Intrusion Detection Rules on
Mobile Ad Hoc Networks
Sevil Sen and John Clark
, UK.
Department of Computer Science,
{ssen, jac}@cs.york.ac.uk
Objective
Grammatical Evolution Algorithm
We investigate the use of the Grammatical Evolution (GE) technique to detect
known attacks on Mobile Ad Hoc Networks (MANETs).
We evolve programs by using GE to detect dropping attacks, a particularly
important attack for MANETs. We mainly aim to differentiate packet dropping
due to malicious behaviour from packet dropping due to mobility in this highly
dynamic environment.
We evaluate the evolved detection rules on networks with varying mobility and
traffic patterns.
MANETs
A Mobile Ad Hoc Network (MANET) is a self-configuring network of mobile
nodes connected by wireless links. Characteristics include:
• no fixed infrastructure
• dynamically changing topology due to mobility
• cooperativeness of nodes to provide essential networking
• resource-constrained environment
• more vulnerable to attacks than wired networks
Dropping Attacks
In MANETs, nodes that are not within each other’s communication range must
rely on other nodes to forward their packets. In a dropping attack, malicious
nodes drop data packets not destined to themselves. Dropping attacks may :
reduce network performance
prevent end-to-end communications
Major causes of packet losses on MANETs are :
wireless link transmission errors
mobility (~60%)
congestion
The Fitness and The Grammar
The fitness function, which evaluates how good the solution is :
Fitness = detection rate – k * false positive rate
S = <code>
<code> ::= if(<condition>) raise_alarm()
<condition> ::= <condition> <set-op> <condition> | <expr> <rel-op> <expr>
<expr> ::= <expr> <op> <expr> | (<expr> <op> <expr>)
|<pre-op> (<expr>) | <pre-op2> (<expr>) | <var>
<op> ::= + | - | / | *
<pre-op> ::= sin | cos | log | ln | sqrt | abs | exp | ceil | floor
<pre-op2> ::= max | min | pow | percent
<rel-op> ::= < | ≤ | > | ≥ | == | !=
<set-op>::= and | or
<var> ::= feature set
Experiment and Results
The evolved programs are evaluated on networks with low, medium and high
mobility/traffic. The results show that false positive rates increase in proportion to
mobility as expected. Only the mobility factor of packet losses on MANETs is
considered here. The results can be improved by taking into account other factors.
Scenarios
The Method
We use Grammatical Evolution (GE), an evolutionary technique inspired by
natural evolution, to evolve detection rules for dropping attacks on MANETs.
GE evolves programs written in a BNF grammar.
The evolved program (best of run) is distributed to each node on the network.
We assume that dropping attacks can be detected by the neighbours of the
malicious node who sent/forwarded packets to the malicious nodes but has not
received any acknowledgement from it for a while.
We assume that an attack can be detected in a time interval ∆ after it has
occurred. That’s why a sliding window mechanism which gathers all features in
∆ is applied to training and testing.
We use both mobility-related and packet-related features as input to the
evolution system.
• Mobility-related features can give information about mobility directly (such as
changes in the number of neighbours) or be the result of mobility (such as
increase in the number of new routes added).
• Packet-related features include information about routing protocol control
packets (AODV) and transport protocol packets (TCP).
Low mobility, 20 TCP connections
Low mobility, 30 TCP connections
Medium mobility, 20 TCP connections
Medium mobility, 30 TCP connections
Medium mobility, 20 TCP connections
Medium mobility, 30 TCP connections (training)
High mobility, 20 TCP connections
High mobility, 30 TCP connections
Detection
Rate
79.59%
93.85%
92.45%
87.04%
90.48%
82.64%
83.33%
84.38%
False Positive
Rate
3.81%
5.25%
3.95%
6.30%
4.07%
5.53%
5.05%
6.22%
Conclusion
We show the potential of the grammatical evolution technique to detect dropping
attacks against MANETs. Our GE technique shows a good performance for evolving
efficient detectors for known attacks against MANETs.
In Future,
•We aim to employ the GE technique to a variety of attacks on MANETs
•We aim to employ multi-objective evaluation mechanisms to explore optimal
tradeoffs between resources consumed by programs (e.g. memory and power) and
detection efficacy.