A survey on Intrusion Detection Systems in MANETs
Shahid Shehzad Bajwa
Pakistan Air Force-Karachi Institute of Economics and Technology
Ensuring security in Mobile ad hoc networks (MANET) is very crucial. In recent years a surge of research and expansion for Mobile ad hoc networks (MANET) has demonstrated its great potential for establishing communication over a large number of application scenarios. Adhoc Network security is different from traditional network security. In this paper we have surveyed the use of Intrusion Detection System in the Adhoc Networks and analyzed their fruitfulness.
An Intrusion Detection System (IDS) is a defense system, which detects malicious activities in a network. One feature of intrusion detection systems is their ability to detect or provide a view of malicious activities and issues by notifying or block a assumed connection. IDS tools are capable of distinguishing between attacks coming from own employees or customers and attacks posed by hackers. An intrusion Detection Systems has its core element a sensor (an analysis engine) that is responsible for detecting intrusions. It has decision making mechanisms is called sensor that receive raw data from knowledge base, system log and audit trail sources. The role of sensor is to filter information and discard any irrelevant data obtained from the event set associated with the protected system. Intrusion detection systems can be arranged as centralized or distributed. A distributed IDS consists of multiple Intrusion Detection Systems (IDS) over a large network, which communicate with each other. This survey report discusses the security issues at cluster based security management. In node level security management each node is responsible for securing itself. MANET routing protocols can be divided into proactive and imprudent categories. Both proactive and reactive protocols can suffer from control packet floods caused by malicious nodes.
What is MANET and how MANETs are different from other networks?
Mobile Ah-hoc Networks (MANETs) are networks that are made of mobile and power controlled nodes infrastructure less self organizing, all the nodes share the same functions with respect to the network operation, (i.e. there is no node that is in charge for authentication or security services). It is vulnerable to security attacks due to its features of open medium, dynamic changing topology, cooperative algorithms, lack of centralized monitoring, management point, and lack of a clear line of defense.
Wireless Mesh Networks (WMN) is slightly more delicate. It exploits the nodes redundancy of nodes and the self-organizing network prototype to overcome some problems that are inherent to wireless networks (tradeoff between distance and transfer rates) or to networks in general (congestion, configuration and installation costs). Applying the above definition of WMN, you may find that both MANETs and WMN are „self-organizing“, but you could also argue that MANETs can be seen as a subset of WMN. The most interesting application of WMN, tough is probably the use of wireless nodes (either mobile or fixed) to convey traffic from mobile users that have a wireless device to the wired internet.
A Wireless Sensor Network (WSN) consists of distributed autonomous devices using sensors to cooperatively scrutinize physical or environmental circumstances, such as high temperature, echo, shuddering, pressure, motion or pollutants, at different locations. They were originally motivated by military applications such as battlefield surveillance. However, wireless sensor networks are now used in many civilian application areas, including environment and locale monitoring, healthcare applications, home computerization, and traffic management.
MANETs Security Approaches
There are mainly two approaches to securing a MANET: proactive and reactive. The proactive approach attempts to prevent security threats in the first place, typically through various cryptographic techniques. The reactive approach seeks to detect threats a posteriori and react accordingly. Both approaches have own merits and is suitable for addressing different issues in MANET. For example, most secure routing protocols adopt the proactive approach in order to secure routing messages exchanged between mobile nodes, while the reactive approach is widely used to protect packet forwarding operations. Due to the absence of a clear line of defense, a complete security solution for MANETs should integrate both proactive and reactive approaches, and encompass all three components: prevention, detection, and reaction. The prevention component deters the attacker by significantly increasing the difficulty of penetrating the system. Ad hoc wireless internet extends the service of the internet to the end users over an ad hoc wireless network; some of the applications of the ad hoc internet ate wireless mesh networks.
In Sensor networks security manage by a centralized control called base stations. A base station is typically a gateway to another network, a powerful data processing or storage center, or an access point for human interface. They can be used as a nexus to disseminate control information into the network or extract data from it. The sensor nodes establish a routing forest, with a base station at the root of every tree. Base stations are many orders of magnitude more powerful than sensor nodes. Typically, base stations have enough battery power to surpass the lifetime of all sensor nodes, sufficient memory to store cryptographic keys, stronger processors, and means for communicating with outside networks.
No matter how carefully the prevention mechanisms are designed a completely intrusion-free system is infeasible. In MANETs, detecting and reacting components that discover the irregular intrusions and take reactions to avoid persistent adverse effects are indispensable for the security solutions are called Intrusion Detection Systems (IDS). They explore issues associated with deviations from normal system or user behavior which are concerned with the detection of hostile actions.
Classification of Intrusion Detection Systems (IDS)
To classify the intrusion detection systems there is a family of tools that use information derived from a single host based IDS (HIDS) and those IDSs that exploit information obtained from a whole segment of a local network (network based IDS). The HIDS reside on a particular computer and provide protection for a specific system. They are not only equipped with system monitoring facilities but also include other modules of a typical IDS. Two primary types of HIDS can be distinguished:
a. Real Secure Agent, and Port Sentry System monitors incoming connection attempts. These examine host-based incoming and outgoing network connections. These are particularly related to the unauthorized connection attempts to TCP or UDP ports and can also detect incoming port scans.
b. Systems which examine network traffic (packets) that attempts to access the host. These systems protect the host by intercepting suspicious packets and looking for aberrant payloads.
c. Login Activity Monitoring Systems monitors the networking layer of their protected host (Host Sentry). Their role is to monitor log-in and log-out attempts, looking for unusual activity on a system occurring at unexpected times, particular network locations or detecting multiple login attempts. The network-based type of IDS (NIDS) produces data about local network usage. The NIDS reassemble and analyze all network packets that reach the network interface card operating in promiscuous mode.
Role of Intrusion Detection Systems in MANET Security
In Mobile ad hoc network security attacks on routing information , exhausting nodes resources, maliciously manipulating data traffic is caused by lack of network infrastructure. AIS (Artificial Immune System) architecture protects and reacts against known and unknown dys-functions and attacks in a Mobile Ad Hoc Network. It is designed as two systems, primary IDS and secondary IDS. These components communicate across the network. The primary IDS are centralized and responsible the packager component was originally missing from selection. In order to adapt to new attacks, a process through which components of successful detectors are recombined using the evolutionary process to make new detectors. The secondary IDS are distributed and are responsible for data gathering, data reduction, detection, and response. It also forwards successful detections to the primary IDS. The architecture of AISANIDS contains two major components. The secondary IDS consist of four components, the sensors, the packager, the detector, and the response. The primary IDS consist of only an analysis component. The sensors collect audit information and convert it to a common event format. The packager performs data reduction by grouping the events into sessions. The analysis component uses these sessions to create detectors. The detector component matches current sessions to its detectors. Finally, the response component automatically responds to attacks. Ideally, once the secondary IDS had a set of detectors, it could continue to function even if the primary IDS failed. Further recommend combining both detection methods to maximize the effectiveness of IDS.
Real time intrusion in service oriented and user centric intrusion detection system  decreases ubiquitous computing for the user short term and long term behavior. SUIDS (Service-oriented and User-centric Intrusion Detection System) with Chi-Square Statistic Test increases ubiquitous computing for the user short term and long term behavior. In this way, the observation reflects the ‘most recent past‘ characteristics of variables in an online fashion. Along with a chi-square statistic test, SUIDS (Service-oriented and User-centric Intrusion Detection System) can measure not only the mean and variance of variables, but also their probability attributions and occurrence patterns. It handles the heterogeneity issue of pervasive network by classifying network nodes into three major categories (head nodes, service nodes, and user nodes) and integrating intrusion detection with service specific knowledge. Security-related factors and subtle scenarios will be considered and tested regarding the system detection effectiveness. A resource-efficient detection algorithm will be investigated to further improve the performance of SUIDS.
Poor connectivity and limited bandwidth makes network vulnerable to security attacks at node level communication in mobile ad hoc networks. Mobile Agent Based Intrusion Detection System (MABIDS)  runs on each node intrusion detection system locally and equally cooperates with other intrusion detection systems running on other nodes. It derived from a MANET requirement analysis. The mobility and autonomy associated with MAs to provide an efficient and flexible solution to poor connectivity and limited bandwidth in MANET context. In architecture of intrusion detection is based on collection and analysis of system and network audit data. Upon detection, intrusions report to security management. Architecture of MABIDS contains the System Administrator (SA) is in charge of harmonizing all the activities among the modules, such as Sensor management (SM), Event Manager (EM), Response Agent (RA), IDS Agents Framework, and PMADE. The sensor management is composed of Data classifier and Data formatting. Data classifier collects raw data from system audit and local route. The data that comes out of the Data classifier divided into three groups: system-level data, user-level data and packet- level data. Data formatting processes the group-data with the data formats rules of local IDS and outputs event data. Communication overhead can more reduce by dividing load into the IDS cluster nodes.
Lack of central authority in self organized mobile ad hoc network increases security threats. Self-organizing mechanism  manages security on node-level decreases security threats from mobile ad hoc networks attackers. It based on the assumptions where individual nodes are themselves responsible for their own security level. Self-organized mobile ad hoc network a node that is responsible for its own security should carry out. The management of security becomes easier if suitable metrics can be developed to offer evidence of the security level or performance of the network. Intrusion detection and prevention (IDS/IPS) techniques can be applied for this purpose. A security monitoring system continuously estimating the actual security level can be attached to the individual nodes of a self-organized mobile ad hoc network. Exploring component metric area and identify dependencies between them.
Due to lack of network central infrastructure and central authority for authentication malicious node attacks for authentication and authorization. It protects and reacts against known and unknown dys-functions or attacks in a mobile ad hoc networks . It was designed as two systems, primary IDS and secondary IDS. These components communicate across the network. The primary IDS is centralized the packager components was originally missing from selection. The secondary IDS is responsible for data gathering, data reduction, detection and response. It also forward successful detection to primary IDS. The immune based system may miss some obvious attacks and raise alters when exposed to rare but permissible activities.
Security attacks to gain unauthorized accesses and misuse of critical data are catastrophic for Mobile ad hoc networks. Hybrid intrusion detection and visualization method  secure the network from attackers to gain unauthorized accesses and misuse of critical data. Intelligent hybrid intrusion detection and visualization system introduces a two-stage intrusion detection technique. Host system calls are monitored as audit data source. Current research is conducted on a standalone host only. The first stage is the misuse detection stage that employs the signature-based detection method. A database of known detection behaviors has been developed and updated over the time. The system compares system audit data with intrusion behavior database in real time. If any intrusion is detected, the autonomous agents will start to intervene and take precautions according to the event handling mechanisms. After the signature detection stage, a graph of system call information should be generated. The second stage is the anomaly detection stage. This stage can overcome the shortcoming of the first stage and is able to detect novel attacks. It can provide additional detection such as misuse of confidential data by internal users. An anomaly-based IDS achieves this by identifying program behaviors that deviate from the known normal behavior. It monitors a program by observing event traces and comparing those traces to some expected behavior. Visualization system needs to give security officers an intuitive representation of such information as normal range of system calls.
Due to limitations of detecting misuse and anomaly attacks in MANET makes network vulnerable from attackers. Hybrid system combines the misuse detection and anomaly detection components for applying random forests algorithm in MANET . In proposed technique there are two different methods for intrusion detection misuse detection and anomaly detection. In misuse detection determines intrusions by patterns or signatures which can represent attacks. Misuse based systems can detect known attacks like virus detection systems, but they cannot detect unknown attacks. Misuse detection usually has higher detection rate and lower false positive rate than anomaly detection. Anomaly detection technique identifies the observed activities that deviate significantly from the normal usage as intrusions. Anomaly detection can detect unknown intrusions, which cannot be addressed by misuse detection. Finally the proposed algorithm achieves high detection rate with low false positive rate, and can detect novel intrusions. However, some intrusions that are very similar with each other cannot be detected by the anomaly detection. Due to the limitations of proposed algorithm another clustering algorithm could be investigated in the future.
Wormhole attacks break security boundaries for detecting information in wireless ad hoc networks. A model novel end-to-end wormhole Detection system  detects intrusion attacks on wireless ad-hoc networks because of its features of lack of centralized administration, limited resources, dynamically changed network topology, and wireless communication. Message bombing, black-hole attack, and wormhole attack, rushing attack are from major attacks in wireless ad hoc networks. Among wireless ad hoc network intrusion detection techniques have been studied. They can be classified into three categories: signature based intrusion detection , anomaly based intrusion detection, and specification based intrusion detection. Proposed method, called end method, in detecting wormhole attack. A wormhole is a dedicated connection between two endpoints which are normally multi-hops away. The adversary either connects the two endpoints by a wired link or installs two radio transceivers at the two locations. Then the attacker sends and re-transmits every packet received at one end of the wormhole at the other end. In this way, the wormhole disrupts the network routing by generating shorter routes in the network. Further improvements on same work are ongoing.
Security attacks based on the model learned only from normal network behaviors without the requirements of pre-labeled attack data generates congestion in Mobile ad hoc networks. An agent-based cooperative anomaly detection scheme  prevent from security attacks based on the model learned only from normal network behaviors without the requirements of pre-labeled attack data. The anomaly detection is performed in a cooperative way involving the participation of multiple mobile nodes. Unlike traditional signature-based misuse detection approaches, the proposed scheme detects various types of intrusions/attacks based on the model learned only from normal network behaviors. Without the requirements of pre-labeled attack data, the approach eliminates the time-consuming labeling process and the impacts of imbalanced dataset. The proposed agent-based cooperative anomaly detection approach builds on cluster-type architecture. It is energy efficient by implementing the function of intrusion detection in a cooperative fashion for each cluster.
Malicious intruders infiltrating poison the collaborative detectors with false alarms, disrupting the intrusion detection functionality and placing the whole system at risk increases security attacks on mobile ad hoc networks. A P2P-based overlay detection method  detects malicious intruders infiltrating poison the collaborative detectors with false alarms, disrupting the intrusion detection functionality and placing the whole system at risk increases security attacks on mobile ad hoc networks. The traditional intrusion detection systems (IDS) are limited and inferior in comparison to the attackers‘ capabilities. Typically, traditional IDSs work in isolation, only seeing relatively small subsections of the Internet, and thus they are unable of deriving significant trends in the whole network. This is especially true for new and emerging attacks, where being able to observe a large amount of deviant behavior would increase the detection and protection capabilities. Efficiency and scalability are some of the critical issues that like to address in our future work. Needs plan to adopt efficient communication models and experiment with different message filtering and peer grouping strategies.
Security attacks on certification services to gain authentication causes the congestion in MNET. Secure and effective distributed certification service method using the Secret Sharing scheme and the Threshold Digital Signature scheme  secures certification services in the MANET. It is an effective authentication scheme to solve the problem that the whole network security would be damaged by the intrusion of one node and to reduce the risk of the exposure of the private keys. Using cryptographic schemes, such as digital signatures to protect routing information and data traffic, usually requires a key management service. A common way for doing this is adopting a public key infrastructure, which in turn requires a trusted entity, Certification Authority (CA), to the network of key management. Establishing a key management service with a single CA is problematic in MANET. If this single CA is unavailable, nodes cannot receive the current public keys of the other nodes, which mean it cannot establish a secure connection. Furthermore, if the CA is compromised and leaks its private key to an adversary, the adversary can then sign any erroneous certificate using this private key to impersonate any node or revoke any certificate. Certification scheme is based on Polynomial secret sharing and Threshold digital signature. Each mobile node forming MANET has its own identifier such as the MAC address. For further improvement the delay time related to renewing the certificate must be reduced.
Security attacks decreases highly available communication processes during detecting faults and intrusion in mobile ad hoc networks. LITON (Lightweight Intrusion-Tolerant Overlay Network) architecture  aims at providing highly available communication in spite of faults and intrusions in the mobile ad hoc network. It is the first overlay network that is able to tolerate intrusions that shows how routing schemes originally developed for mobile ad hoc networks (MANETs) can be used in overlay networks, and introducing a smart route caching strategy that allows for quick recovery when faults are detected. In LITON Lightweight Intrusion-Tolerant Overlay Network every overlay node is an Internet host residing in an autonomous system (AS). Autonomous systems may be connected via public or private (not globally advertised) links. Overlay node placement is arbitrary; however, since LITON is explicitly designed to overcome limitations of Internet inter-domain routing, spreading nodes across different ASs may significantly improve network availability.
No doubt that the IDS are here to stay, although future systems will undoubtedly take a different form than our modern day versions. The mathematical and AI (artificial intelligence) concepts required for success are already being developed, tested and improved upon. In this survey paper we have discussed various Intrusion-Detection-Systems for mobile ad hoc networks based on different protocols to detect the intruders and resolve the security attacks. Many intrusion detection systems are under implementation processes and it is also possible that IDS will merge the independent network components and tools which exist today, into a complete and cooperative system, committed to keeping networks stable.
Black hole attacks will be investigated and new model for grouped Black hole attacks will be proposed soon. Black hole attacks gain the information from non-updated routing tables and represent them self as shortest path. After receiving data packets they drop it.
. A. Karygiannis, E. Antonakakis, A. Apostolopoulos, „Detecting Critical Nodes for MANET Intrusion Detection Systems,“ Second International Workshop on Security, Privacy and Trust in Pervasive and Ubiquitous Computing (SecPerU’06), pp. 7-15, June 2006.
. Bo Zhou, Qi Shi, Madjid Merabti, „Intrusion Detection in Pervasive Networks Based on a Chi-Square Statistic Test,“ 30th Annual International Computer Software and Applications Conference (COMPSAC’06), pp. 203-208, September 2006.
. Upinder Kaur, R.B. Patel, „Intrusion Detection in Mobile Ad-Hoc Networks: A Mobile Agent Approach,“ 9th International Conference on Information Technology (ICIT’06, pp. 77-80, December 2006.
. Reijo Savola, Ilkka Uusitalo, „Towards Node-Level Security Management in Self-Organizing Mobile Ad Hoc Networks,“ Advanced International Conference on Telecommunications and International Conference on Internet and Web Applications and Services (AICT-ICIW’06), pp. 36, February 2006.
. Hongxia Xie, Zhengyun Hui, „An Intrusion Detection Architecture for Ad Hoc Network Based on Artificial Immune System,“ Seventh International Conference on Parallel and Distributed Computing, Applications and Technologies (PDCAT’06), pp. 1-4, December 2006.
. Jiong Zhang, Mohammad Zulkernine, “ A Hybrid Network Intrusion Detection Technique Using Random Forests,“ First International Conference on Availability, Reliability and Security (ARES’06), pp. 262-269, April 2006.
 Jiong Zhang and Mohammad Zulkernine „A Hybrid Network Intrusion Detection Technique Using Random Forests,“ Approach,“ International Conference on Information Technology December 2006.
. Xia Wang, „Intrusion Detection Techniques in Wireless Ad Hoc Networks,“ 30th Annual International Computer Software and Applications Conference, pp. 347-349 (COMPSAC’06), September 2006.
. Hongmei Deng, Roger Xu, Jason Li, Frank Zhang, Renato Levy, Wenke Lee, “ Agent-Based Cooperative Anomaly Detection for Wireless Ad Hoc Networks,“ 12th International Conference on Parallel and Distributed Systems – Volume 1 (ICPADS’06), pp. 613-620, July 2006.
. Claudiu Duma, Martin Karresand, Nahid Shahmehri, Germano Caronni, „A Trust-Aware, P2P-Based Overlay for Intrusion Detection, „17th International Conference on Database and Expert Systems Applications (DEXA’06), pp. 692-697, September 2006.
. Kiho Shin, Yoonho Kim, Yanggon Kim, “ An Effective Authentication Scheme in Mobile Ad Hoc Network,“ Seventh ACIS International Conference on Software Engineering, Artificial Intelligence, Networking, and Parallel/Distributed Computing (SNPD’06), pp. 249-252, June 2006.
. Rafael R. Obelheiro, Joni da Silva Fraga, „A Lightweight Intrusion-Tolerant Overlay Network,“ Ninth IEEE International Symposium on Object and Component-Oriented Real-Time Distributed Computing (ISORC’06), pp. 496-503, April 2006.
by Shahid Shehzad