DECEPTION BASED HIERARCHICAL INTRUSION DETECTION SYSTEM FOR MOBILE AD-HOC NETWORKS

Abstract

The increasing usage of mobile computing devices has led to rapid emergence of Mobile Ad-Hoc Networks (MANETs) and potential threats to them. Even though a spectrum of Intrusion Detection Systems (IDS) exists for MANETS, the lack of knowledge about the exploitation methods used to compromise ad-hoc networks, is threatening the free and easy usage of ad-hoc networks. Recently, the use of deceptive mechanisms for knowledge acquisition and intrusion detection has become very common in wired and infrastructure based wireless networks. They have traffic concentration and control points such as switches, routers, or gate ways where wired/wireless resources are deliberately deployed to lure and capture the attackers. MANET doesn't have such concentration or control points, therefore no proper architecture has been proposed till now for use of deceptive techniques in MANETs. However, the specific features of deception techniques like reliability, control over deployed resources and their luring capabilities can be used to overcome the limitations of earlier IDS used in general ad-hoc environment. In this dissertation, we have combined detective techniques (Misuse and Anomaly based detection) and deceptive approaches to develop the first deception based hierarchical intrusion detection system to counter network based intrusions in ad-hoc environment. We propose the use of a deceptive, trusted and controlled mobile network in the vicinity of real production ad-hoc network as a trap to lure and deviate the attention of attackers. We have coined the term — HoneyMANET for this decoy network that monitors and test the maliciousness of foreign nodes crossing by. It is a made of trusted nodes, named as honeynodes, which move and generate data under the control of hidden hierarchical management and is open to foreign nodes for joining (with or without authentication, according to the security policies). Three different kinds of profiles — local, personal and global are generated for complete security of network from different kinds of old and new attacks. An unsupervised intrusion detection module is developed which uses the behavior of trusted honeynodes for reliable anomaly and misuse detection. The tactic environment of HoneyMANET and the working of its four modules — deception, monitoring and logging, collection and integration, and intrusion detection modules have been simulated using Network Simulator. Simulations are done to find different design parameters of honeyMANET - free movement zones, number, speed and data generation rate of honeynodes, to make a robust IDS. Different kinds of localized and globally distributed attacks, vii with varying rate and number of attackers, are launched to test the robustness of proposed model in different attack scenarios. Simulation results show that the attack detection efficiency of HoneyMANET is high and mostly remains at value 1, independent of type of attack or number of attackers in the network. The false alarm rate is also low (mostly remaining at value 0). This is a great achievement as compared to IDS of general ad-hoc network where detection rate decreases as number of attacker increases in the network. HoneyMANET's use in evaluation of impact of different attacks on networks is also shown. Route Request flooding attack is shown to affect the network more drastically than packet dropping attacks. Simple packet drop attack is less severe than black hole attack, but as the number of attackers' increases, its effect is almost same as that of black hole attack. It has been shown that HoneyMANET gives us both localized and global overview of activities taking place in the network and is a reliable, robust and efficient intrusion detection system. viii