2014 PHD Maha

i
ARTIFICIAL IMMUNE FUZZY INTRUSION DETECTION ALGORITHM OVER

MANET
MAHA ABDELHAQ
THESIS SUBMITTED IN FULFILMENT OF THE DEGREE OF

DOCTOR OF PHILOSOPHY
FACULTY OF INFORMATION SCIENCE AND TECHNOLOGY

UNIVERSITY KEBANGSAAN MALAYSIA
BANGI
2014
ALGORITMA PENGESANAN PENCEROBOHAN IMUN KABUR TIRUAN KE ATAS

MANET
MAHA ABDELHAQ
TESIS YANG DIKEMUKAKAN UNTUK MEMPEROLEH IJAZAH

DOKTOR FALSAFAH
FAKULTI TEKNOLOGI DAN SAINS MAKLUMAT

UNIVERSITY KEBANGSAAN MALAYSIA
BANGI
2014
iii
DECLARATION
I hereby declare that the work in this research is my own except for quotations and
summaries which have been duly acknowledged.
24th March 2014
MAHA ABDELHAQ
P50000
iv
ACKNOWLEDGMENTS
First and foremost, all praise to Almighty Allah for his blessings and patience, as well
as for providing me with good health during this research.
This work is dedicated to the soul of my father, from whom I learned faith,
strength, and determination. This work is also dedicated to my family, especially my
beloved mother, who has shone an everlasting light on my mind and heart. Of course,
this research is dedicated to my husband, Dr. Raed Alsaqour, who not only lives in my
heart, but also shares my thoughts, ideas, and principles in different fields of science. I
am grateful to my husband, who spent so much time guiding me in the best way he
can and surrounding me with care and support.
I am grateful to my great brother, Shawkat Abdelhaq, for his continuous
encouragement, love, and care. I thank my sisters for their unconditional love and
support.
This work is also dedicated to the souls of martyrs (Shohadaa) in my beloved
country, Palestine, and to the Arab revolution martyrs in Tunis, Libya, Yamane, Syria,
and Egypt. I greatly appreciate the Egyptian Muslim Brotherhood for their struggle
and sacrifice. In particular, I would like to show my appreciation for the legitimate
leader of Egypt, Dr. Mohammad Morsi, who taught me many things that are greater
than the limits of completing my PhD studies and of higher value than merely
obtaining a certificate and work. Dr. Morsi taught me determination, patience, and
persistence to pursue my aspirations to achieve a better life for Arab countries and
Muslim Ummah.
I thank my supervisors, Dr. Rosilah Hassan and Prof. Mahamod Ismail, for
their guidance and support. I also thank Immunologist Prof. Daud Israf of University
Putra Malaysia (UPM) for his assistance and advice. Finally, I thank my research
group for their help and friendship and for creating a pleasant working environment
throughout my years of study in Universiti Kebangsaan Malaysia.
ABSTRACT
Mobile ad hoc network (MANET) is a collection of mobile, decentralized and selforganizing nodes that are used in special cases such as military purposes. MANET
properties render its environment vulnerable to different types of attacks namely black
hole, wormhole and flooding-based attacks. Flooding-based attacks are one of the
most dangerous attacks which could paralyze the functionality of the whole network.
In essence, flooding attacks employ a technique which depends on overflowing the
network with bogus packets and can be performed through various types of attacks
which are resource consumption attack (RCA), hello flood, routing table overflow,
rushing attacks and exploiting node penalizing schemes. In order to secure MANET
from attacks, many researchers have introduced intrusion detection algorithms which
are based on artificial immune systems (AISs). This is because AISs utilize the human
immune system (HIS) analogy to introduce efficient, self-defensive and selforganizing algorithms, which could meet the challenges of the MANET environment.
However, the current AIS algorithms lack the generality by which it could secure a
standard routing protocol over MANET from a wide range of attack techniques with
high accuracy and low false positive rates. In addition, research shows less attention
on introducing an AIS algorithm that could reduce the effect of the attack on the main
network performance metrics. The main objective of this research is to develop an
efficient, self-defensive and self-organizing computational intelligent algorithm which
combines the relevant features of danger theory-based AISs and fuzzy logic theory.
This is done by inspiring the detection functionality of dendritic cells (DCs) in the HIS
and the accurate decision making functionality of fuzzy logic theory to introduce an
AIS intrusion detection algorithm called Dendritic Cell Fuzzy Algorithm (DCFA). The
proposed algorithm has been tested and verified by detecting the denial of service
(DoS) attack namely, RCA using QualNet version 5.0.2 simulator over MANET. The
research has found that AIS is efficient for developing intrusion detection algorithms
with high accuracy and low false positive rates. Moreover, the results show the
capability of DCFA to perform the detection operation with high efficiency and
effectiveness.
vi
ABSTRAK
Rangkaian Bergerak ad hoc (MANET) ialah suatu kumpulan nod bergerak, terpancar
dan mengelola-sendiri yang digunakan di dalam kes-kes khas seperti untuk kegunaan
ketenteraan. Sifat MANET menjadikan persekitarannya terdedah kepada pelbagai
jenis serangan seperti black hole, wormhole dan serangan berasaskan-flooding.
Serangan berasaskan-flooding merupakan salah satu serangan yang paling merbahaya
yang boleh melumpuhkan kebolehfungsian seluruh rangkaian. Pada dasarnya,
serangan flooding menggunakan teknik yang bergantung pada limpahan rangkaian
dengan paket palsu dan boleh dilaksanakan melalui beberapa jenis serangan iaitu
resource consumption attack (RCA), hello flood, routing table overflow, rushing
attacks dan exploiting node penalizing schemes. Untuk menyelamatkan MANET dari
serangan, ramai penyelidik telah memperkenalkan algoritma pengesanan
pencerobohan yang berasaskan sistem imun tiruan (AISs). Ini ialah kerana AISs
menggunakan analogi sistem imun manusia (HIS) untuk memperkenalkan algoritma
yang cekap, swapertahanan dan mengelola-sendiri, yang mampu menentang cabaran
persekitaran MANET. Walaupun demikian, algoritma AIS terkini kurang bersifat
umum untuk membolehkan ia memastikan suatu protocol peroutan standard ke atas
MANET yang melindungi dari julat teknik serangan yang luas dengan kejituan yang
tinggi dan kadar positif palsu yang rendah. Tambahan lagi, penyelidikan telah kurang
memberi tumpuan terhadap memperkenalkan suatu algoritma AIS yang boleh
mengurangkan kesan serangan ke atas metrik utama prestasi rangkaian. Objektif
utama kajian ini ialah untuk membangunkan satu algoritma pengiraan pintar ringan
yang cekap, swapertahanan dan mengelola-sendiri yang menggabungkan ciri-ciri
yang berkaitan AISs berasaskan teori bahaya dengan teori logik kabur. Ini dijalankan
secara mengilhamkan fungsi mengesan sel dendritik (DCs) di dalam HIS dan fungsi
membuat keputusan yang jitu teori logik kabur untuk memperkenalkan suatu algoritma
sistem pengesanan pencerobohan AIS yang digelar Dendritic Cell Fuzzy Algorithm
(DCFA). Algoritma yang dicadangkan itu telah diuji dan disahkan secara mengesan
serangan penafian perkhidmatan (DoS), iaitu RCA, menggunakan pensimulasi
QualNet versi 5.0.2 ke atas MANET. Penyelidikan tersebut mendapati bahawa AIS
adalah cekap untuk membangunkan algoritma pengesanan pencerobohan dengan
kejituan yang tinggi dan kadar positif palsu yang rendah. Dan lagi, dapatan
menunjukkan kebolehan DCFA menjalankan operasi pengesanan dengan kecekapan
dan keberkesanan yang tinggi.
vii
TABLE OF CONTENTS
DECLARATION
ACKNOWLEDGMENTS
ABSTRACT
ABSTRAK
TABLE OF CONTENTS
LIST OF TABLES
LIST OF FIGURES
LIST OF ABBREVIATIONS
LIST OF SYMBOLS
CHAPTER I
1.1
1.2
1.3
1.4
1.5
1.6
1.7
INTRODUCTION
Research Background
Problem Statement
Research Objectives
Research Contributions
Research Scope
Research Methodology
Thesis Outline
CHAPTER II
2.1
2.2
LITERATURE REVIEW
Introduction
Mobile Ad hoc Network
2.2.1
MANET Characteristics
2.2.2
MANET Routing Protocols
Security over MANET
2.3.1
Security Primitive
2.3.2
Security Goals
2.3.3
Types of Attacks over MANET
Studies in the Effects of Attacks over MANET
The Human Immune System in Biology
2.5.1
Introduction to HIS
2.5.2
The HIS Cells
2.5.3
Innate and Adaptive Immunity
2.5.4
T-Cells
2.5.5
Dendritic Cells
2.5.6
Self Non-Self and Danger Theories
Fuzzy Logic Theory
Intrusion Detection Systems
2.7.1
Non Intelligent Intrusion Detection Systems
2.3
2.4
2.5
2.6
2.7
Page
iii
iv
v
vi
vii
xi
xii
xv
xviii
1
4
6
6
7
7
8
10
10
11
12
14
15
16
17
20
22
22
23
23
24
25
27
28
29
29
viii
2.8
CHAPTER III
3.1
3.2
3.3
3.4
3.5
3.6
3.7
3.8
3.9
3.10
3.11
CHAPTER IV
4.1
4.2
4.3
4.4
4.5
2.7.2
Intelligent Intrusion Detection Systems
Summary
34
39
METHODOLOGY
Introduction
The Analogy Between MANET and The Innate Immunity
Danger Theory Model
Biological Model of Dendritic Cells
Antigens and Signals
3.5.1
Antigens
3.5.2
Input Signals
3.5.3
Output Signals
Biological Model of T-Cells
Ad Hoc on-Demand Distance Vector Routing Protocol
Vulnerability of AODV to RCA
Fuzzy Logic Theory
3.9.1
Fuzzification
3.9.2
Fuzzy Rules and Fuzzy Inference
3.9.3
Defuzzification
3.9.4
Fuzzy Logic and DC
Simulation Environment
3.10.1 Simulation Parameters
3.10.2 Performance Metrics
3.10.3 Simulation Verification
Summary
41
41
43
44
46
46
47
48
50
51
52
53
54
55
56
57
58
58
59
62
64
EFFECTS OF RCA ON MANET

Introduction
Experimental Design
Experimental Results for Scenario A
4.3.1
Effects of RCA on Throughput and end-to-end
Delay for Scenario A
4.3.2
Effects of RCA on Total Energy Consumption for
Scenario A
4.3.3
Effects of RCA on Routing Overhead for Scenario
A
Experimental Results for Scenario B
4.4.1
Effects of RCA on Throughput and end-to-end
Delay for Scenario B
4.4.2
Effects of RCA on Total Energy Consumption for
Scenario B
4.4.3
Effects of RCA on Routing Overhead for Scenario
B
Summary
66
68
69
70
72
74
76
77
78
80
81
ix
CHAPTER V
5.1
5.2
5.3
DENDRITIC CELL FUZZY LOGIC ALGORITHM

Introduction
General Design of DCFA
DCFA Particulars
5.3.1
DCFA Specifications
5.3.2
Fuzzy Logic System Component
I.
Fuzzification Stage
II.
Defuzzificztion Stage
III.
Fuzzy Inference and Aggregation
AWorked Example
Summary
83
84
91
91
95
96
99
100
101
103
6.5
VERIFICATION OF DENDRETIC CELL FUZZY LOGIC

ALGORITHM
Introduction
Experimental Settings
Experimental Results for Scenario C
6.3.1
Evaluation of Security Performance for Scenario C
6.3.2
Evaluation of Network Performance for Scenario C
Experimental Results for Scenario D
6.4.1
Evaluation of Security Performance for Scenario D
6.4.2
Evaluation of Network Performance for Scenario D
Comparison Between DCFA And Previous Work
105
105
107
107
112
119
119
123
129
6.6
Summary
132
CHAPTER VII
7.1
7.2
7.3
7.4
CONCLUSIONS AND FUTURE WORKS

Research Contributions
Acheivements
Research Advantages and Limitations
Suggestions for Future Works
133
134
135
137
5.4
5.5
CHAPTERVI
6.1
6.2
6.3
6.4
REFERENCES
139
APPENDECES
150
A:
B:
List of Publications
Simulation Screenshots
148
150
LIST OF TABLES
Table No.
Page
2.1
Non intelligent intrusion detection systems
34
2.2
Intelligent intrusion detection systems
39
3.1
Analogy between innate immunity properties and MANET

characteristics
42
3.2
Brief overview of the input signals
48
3.3
Brief overview of the output signals
50
3.4
A comparison between T-cells and DCs
50
3.5
Simulation parameters
59
3.6
Intrusion detection performance metrics
60
5.1
DCFA Model Components
86
5.2
DCFA data structure
94
5.3
Fuzzy sets of input variable s 1
96
5.4
Fuzzy sets of input variable s 2
98
5.5
Fuzzy sets of FLS(Si) output variable
99
6.1
Comparison Between DCFA And Previous Works
130
xi
LIST OF FIGURES
Figure No.
Page
1.1
Mapping of HIS model and MANET in AIS algorithm
1.2
Research Steps
2.1
Mobile ad hoc network
11
2.2
MANET routing protocols categories
13
2.3
Information security
15
2.4
Attacks over MANET
18
2.5
States of DC differentiations
26
3.1
Main functions of DCs
44
3.2
Main inputs and outputs of DC
45
3.3
Interaction among the input signals
48
3.4
AODV routing protocol
52
3.5
RCA
53
3.6
Fuzzy logic mechanism
54
3.7
Temperature membership function
55
3.8
Radio energy dissipation model (transceiver)
61
4.1
Distribution of RCA attackers with different positions
69
4.2
Effect of the number of attackers and their positions on throughput
71
4.3
Effect of the number of attackers and their positions on end-to-end delay
72
4.4
Effect of the number of attackers and their positions on the energy

consumed in each mode
73
Effect of the number of attackers and their positions on total energy

consumed
74
4.5
xii
Effect of the number of attackers and their positions on the retried

RREQs
75
Effect of the number of attackers and their positions on the initiated

RREPs
76
4.8
Effect of increasing attackers radio ranges
76
4.9
Effect of the attackers radio range and flooding rate on throughput
77
4.10 Effect of the attackers radio range and flooding rate on end-to-end delay
78
4.11 Effect of the attackers radio range and flooding rate on energy
consumption in each mode
79
4.12 Effect of the attackers radio range and flooding rate on total energy
consumed
80
4.13 Effect of the attackers radio range and flooding rate on the retried
RREQs
81
4.14 Effect of the attackers radio range and flooding rate on the initiated
RREPs
81
5.1
DCFA model
85
5.2
TGList in genes store
88
5.3
MTList in MT-cells
89
5.4
New pictured TGList
95
5.5
FLS applied by each DC
95
5.6
Membership functions of input variable s 1
97
5.7
Membership functions of input variable s 2
98
5.8
Output membership functions for output signal FLS(S i )
100
5.9
Graphical illustration of fuzzy system stages
103
6.1
Effect of the number of attackers on false positive rate
107
6.2
Effect of the number of attackers on true negative rate
108
6.3
Effect of the number of attackers on false negative rate
110
4.6
4.7
xiii
6.4
Effect of the number of attackers on true positive rate
110
6.5
Effect of the number of attackers on accuracy rate
112
6.6
Effect of the number of attackers on throughput
113
6.7
Effect of the number of attackers on end-to-end delay
114
6.8
Effect of the number of attackers on energy consumed in transmit mode
115
6.9
Effect of the number of attackers on energy consumed in receive mode
116
6.10 Effect of the number of attackers on energy consumed in idle mode
116
6.11 Effect of the number of attackers on total energy consumed
117
6.12 Effect of the number of attackers on the retried RREQs
118
6.13 Effect of the number of attackers on the initiated RREPs
119
6.14 Effect of the attackers radio range on false positive rate
120
6.15 Effect of the attackers radio range on true negative rate
120
6.16 Effect of the attackers radio range on false negative rate
122
6.17 Effect of the attackers radio range on true positive rate
122
6.18 Effect of the attackers radio range on accuracy rate
123
6.19 Effect of the attackers radio range on throughput
124
6.20 Effect of the attackers radio range on end-to-end delay
125
6.21 Effect of the attackers radio range on energy consumed in transmit mode
125
6.22 Effect of the attackers radio range on energy consumed in receive mode
126
6.23 Effect of the attackers radio range on energy consumed in idle mode
127
6.24 Effect of the attackers radio range on total energy consumed
127
6.25 Effect of the attackers radio range on the retried RREQs
128
6.26 Effect of the attackers radio range on the initiated RREPs
129
xiv
LIST OF ABBREVIATIONS
ABAIS
agent-based AIS
AC
antigens controller
ADMR
adaptive demand-driven multicast routing
Ag
antigen agent
AIS
artificial immune system
AODV
ad hoc on-demand distance vector
AOMDV
Ad hoc on-demand multipath distance vector
APC
antigen presenting cell
CBR
constant bit rate
CEDAR
core-extraction distributed ad hoc routing
CGSR
cluster head gateway switch routing
CIA
co-stimulation inspired approach
CPN
cognitive packet network
CREP
confirmation reply
CREQ
confirmation request
CSM
costimulatory molecules
DC
dendritic cell
DCA
dendritic cell algorithm
DCMP
dynamic core based multicast routing
DEAR
device and energy aware routing
DGR
direction guided routing
DoS
denial of service
DRM
dynamic route maintenance
xv
DSDV
destination sequenced distance vector
DSR
dynamic source routing
FRREP
further route reply
FRREQ
further route request
FSR
fisheye state routing
G-BDODA
gossip-based distributed outlier detection algorithm
GPS
global positioning system
GPSR
greedy perimeter stateless routing
HIS
human immune system
H-LANMAR
hierarchical landmark routing
HSR
hierarchical state routing
IDS
intrusion detection system
IL-10
interleukin-10
IL-12
interleukin-12
LAN
local area networks
LANMAR
landmark ad hoc routing
LAR
location-aided routing
MAC
medium access control
MANET
mobile ad hoc network
MHC
major histocompatibility complex
MT-cell
Memory T-cell
NetTRIIAD
network threat recognition with immune inspired anomaly detection
NTBR
neighbor table based multipath routing
NT-cell
Naive T-cell
xvi
OLSR
optimized link state routing
PAMP
pathogen-associated molecular patterns
PIR
primary immune response
PRR
pattern recognition receptor
QoS
quality of service
RCA
resource consumption attack
RP
responding
RPQ
routing packets queue
RREP
route reply
RREQ
route request
RTT
round trip time
SID-RS
source intrusion detection routing security
SIFS
short inter frame space
SIR
secondary immune response
SOC
security operating system
ST-cell
Suppressor T-cell
TC agent
T-cells agent
TORA
temporally ordered routing algorithm
TTM
transmission time-based mechanism
WRP
wireless routing protocol
ZRP
zone routing protocol
FN
false negative
FP
false positive
xvii
LIST OF SYMBOLS
total energy consumed
total energy consumed in transmit, receive and idle modes
E1
energy consumed in transmit mode
E2
energy consumed in receive mode
E3
energy consumed in idle mode
membership value of the output parameter of each rule j
P receive
power consumed in receive mode
P transmit
power consumed in transmit mode
P idle
power consumed in idle mode
P on
power consumed in active mode
P sp
power consumed in sleep mode
P tr
power consumed in transient mode
Ri
rule number i
receive
time duration of the receive mode
transmit
time duration of the transmit mode
T idle
time duration of the idle mode
CHAPTER I
INTRODUCTION
1.1
RESEARCH BACKGROUND
In the last few decades, many researchers have focused on the area of mobile ad hoc
network (MANET) as a wireless network with specific features not found in other
types of networks. The decentralization, rapid deployable topology and open wireless
medium of MANET increase its feasibility for application in rough structured areas,
such as earthquake and war territories. However, these features as well as the
limitations of MANET (i.e., sharing of channel bandwidth and the limitation in the
energy of nodes) make this network very vulnerable to different types of attacks.
MANET routing protocols can be easily attacked by identifying the targeted

points of vulnerability of the network protocols. Many intrusion detection systems
(IDSs) have been introduced to protect the routing protocols in MANETs. However,
the conventional cryptographic IDSs utilized to secure routing protocols in MANETs
increase the control overhead by transmitting extra security information (digital
signatures and function hashes) through routing packets. Moreover, the lack of fixed
infrastructure in MANET renders the use of certificate authorities infeasible. Thus, the
general trend at present is to employ lightweight computing algorithms to secure
MANET. Based on the many similarities between human body tissue environment and
the MANET environment concluded from the study, in this research, the robust
defence achieved by the human immune system (HIS) can be translated into an
artificial immune system (AIS) to protect MANET. AISs are defined as a set of
computational algorithms or theories that reflect one or more HIS concepts and
principles (Wu & Banzhaf 2010). nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn
The introduced AIS intrusion detection algorithms can detect attacks in a

decentralized and self-organizing manner, which means that central management
points in the security system are not necessary when AISs are applied. This advantage
renders the technique feasible for securing MANETs and addressing the limitations
and challenges of such networks.
HIS consists of numerous functions and concepts, which motivated computer
scientists to envision its utilization in intrusion detection systems. However, research
on immunology shows that HIS is extremely complex; evidence on how HIS operates
is conflicting and controversial (Greensmith 2007). Understanding the biology of the
human body does not necessarily means being able to emulate all its models and
functions in detail. Adopting the concepts and principles that benefit the AIS
environment is enough to achieve the desired performance (M. Drozda et al. 2009;
Drozda et al. 2010).
Aickelin et al. (2003) attempted to improve the performance of previously
introduced AISs and they established the danger project, which is primarily based on
the danger theory in immunology. Danger project (Aickelin et al. 2003; Aickelin &
Cayzer 2002) is primarily based on the danger theory in immunology. The danger
theory implies that the response of the immune system to incoming pathogens is based
mainly on the existence of danger or safe signals emitted from the body tissues and
caused by these pathogens (Matzinger 1994, 2001, 2002, 2007). In a danger project, a
group of computer scientists and immunologists map actual up-to-date immunology
into AIS (Greensmith 2007; Greensmith et al. 2005, 2008; Greensmith et al. 2010; Ou
2012).
The dendritic cell algorithm (DCA) is one of the most well-known danger
project contributions. It utilizes the role of the dendritic cells (DCs) in HIS as forensic
navigators and important anomaly detectors. DCs are defined as antigen presenting
cells in innate immunity; these cells either stimulate or suppress T-cells in adaptive
immunity, thereby they control the type of response of the immune system (Wu &
Banzhaf
2010).mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm
Although DCA is effective in real-time IDSs, its results register a high false
positive alarm rate and low detection accuracy rate because it is sensitive to the order
of the detected data. Thus, our research utilizes the danger theory model in
combination with fuzzy logic theory, (Zadeh 1965) to propose a new DC fuzzy
intrusion detection algorithm (DCFA). DCFA promises high detection accuracy and
low false positive rate. Detection accuracy rate and false positive rate are the main
measurements that indicate the robustness of IDSs. Chapter II, Section 2.5 presents an
overview of HIS in biology to elucidate the importance of DCs biological model in the
human body.
A novel DCFA and its related model are introduced in this study. Using an AIS
inspired algorithm promises to address the challenges of MANETs environment that
make it vulnerable to attacks. No research has been able to meet the requirements for
the detection of all types of attacks (Deng et al. 2002; Lima et al. 2009; Su & AdviserBoppana 2009). Thus, DCFA is verified and tested in this study to detect one of the
flooding-based attacks on MANET, namely, resource consumption attack (RCA).
DCFA can be generalized to detect other types of attacks on MANETs.
Figure 1.1 shows an abstract mapping of HIS and MANET. Each message in
MANET represents a pathogen entering the human body. Each node represents the
human body or a part of the human body. Therefore, each node must apply the
proposed algorithm to protect itself from intrusions similar to how each part of the
human body depends on the immune system to protect itself from dangerous
pathogens.
(a)
(b)
Figure 1.1 Mapping of HIS model and MANET in AIS algorithm. (a) Human immune
system (NIAIDS 2003), (b) MANET
1.2
PROBLEM STATEMENT
Securing MANET is a crucial research issue. The properties of MANET impede the
protection of the networks environment against attacks. MANET as an open area of
wireless mobile nodes allow external attackers to join the network easily and
masquerade legitimate nodes (D. Wang et al. 2008). Moreover, the limited bandwidth
of a MANET also renders its nodes vulnerable to isolation and its communications
susceptible to frequent breaks. Furthermore, the lack of centralized authorization and
security cooperation adds to the susceptibility of the entire network to attacks.
MANET is open to many types of attacks. Flooding-based attacks are the most popular
types of attacks because such attacks and dangerous and effective (Ghazali & Hassan
2011).
HIS is the basis of the intrusion detection algorithms of AISs. These algorithms
detect different types of attacks. For example, Greensmith introduced a novel dangerbased AIS called dendritic cell algorithm (DCA) to detect port scan attack over wired
network (Greensmith et al. 2005; Greensmith et al. 2010). DCA is inspired by the
capability of DCs to receive multiple antigens and signals, as well as reveal the context
of each antigen. However, the processing information fusion of multiple signals and
antigens without any association between each antigen and its related signals increases
the percentage of error in the detection operation. Therefore, DCA suffers from high
false positive rates and low accuracy rates. The AISs introduced by Amaral (2011),
Chelly and Elouedi (2010) and Wallenta et al. (2010) depend mainly on the core of
DCA with certain adaptations. The work done by Amaral (2011) depends on DCA and
uses fuzzy logic theory instead of the fixed weights used in DCA. The introduced
algorithm is applied to detect faults in analog circuits which are out of our research
scope. Chelly and Elouedi (2010) use fuzzy logic in the final stage of DCA to classify
the antigens after each antigen context has been decided according to DCA and its
empirical equation applied by Greensmith (2010), and their enhancement has been
applied to detect abnormality behaviours on a specific data set. Wallenta et al. (2010),
the authors applied DCA over wireless sensor networks (WSNs) to detect a floodingbased attack called cache poisoning attack. As all of the above mentioned algorithms
depend mainly on DCA they, necessarily, suffer from high false positive and low
accuracy rates.
DCFA shares the previously introduced AIS-based IDs in inspiring the DC
biological model in HIS. Antigens and the related signals which represent the detected
attack and its behaviours are utilized by DCFA and the previous works. However,
DCFA makes an association between each antigen and its related signals which is not
performed in the previous works. Also, DCFA does not depend on or enhance any of
the previous works algorithms. It is a standalone developed Hybrid intelligent
algorithm. DCFA combines between the relevant features of both danger theory-based
AISs and fuzzy logic theory. Unlike the works in the literature, DCFA utilizes two
main pathways of intrusion detection operation in its AIS part, primary immune
response pathway (PIR) and secondary immune response pathway (SIR). The use of
each pathway is controlled by DCFA in order to achieve high security and network
performance.
The performance of each intrusion detection algorithm is measured by two
main metrics: false positive and accuracy rates. Current AIS algorithms produce high
false positive and low accuracy rates (Stibor et al. 2005; Wu & Banzhaf 2010). If an
AIS intrusion detection algorithm considers a normal node(s) as an attacker(s) by
mistake, those node(s) will be isolated from the network and the false positive rate will
increase. Hence, many normal nodes will be penalized by the AIS intrusion detection
algorithm as intruder nodes. Faulty detection of normal nodes leads to MANET
partitioning and degrading its performance as well. In contrast, if the AIS intrusion
detection algorithm considers one or more attacker(s) as normal node(s) by mistake,

this will encourage the attacker(s) to disseminate the threat and continue degrading
MANET performance.
Current research shows less interest in introducing a study in the effects of
RCA on MANET performance in depth such as, throughput, end-to-end delay, energy
consumption and routing overhead. Also, RCA has not been analyzed under varying
different factors which affect the efficiency of the attack itself like varying attackers
flooding rate, radio range, position of attack in the network and varying the applied
number of attackers in group attack. Therefore, an efficient, self-defensive and selforganizing AIS intrusion detection algorithm with low false positive and high accuracy
rates must be introduced to protect MANET and increase its robustness. In addition, it
should be taken into account that securing MANET should not add overheads on its
performance metrics. This research attempts to achieve such.
1.3
RESEARCH OBJECTIVES
The core objective of this research is to build a new robust intrusion detection
algorithm for MANET by achieving the following precise objectives:
i.
To develop a simulation model platform for a flooding-based attack and a

countermeasure for that attack over MANET.
ii.
To implement and analyze the Flooding-based attack, namely RCA, over

MANET.
iii.
To develop and evaluate a standalone AIS-based intrusion detection algorithm

which can detect RCA over MANET.
1.4
RESEARCH CONTRIBUTIONS
This research contributes to literature as follows:

i.
A new RCA attack and its countermeasure DCFA models have been developed
and added to QualNet v5.0.2 to be implemented over MANET.
ii.
New factors have been introduced to implement and analyze RCA over
MANET, specifically, varying number of attackers in combination with
attackers positions and varying attackers radio range and flooding rate.
iii.
A new AIS-based algorithm and its related model has been developed and
evaluated. The model has been added to QualNet v 5.0.2 to be tested from both
security and network measurements. Five security performance metrics have
been used to test DCFA specifically, false positive, false negative, true
positive, true negative and accuracy rates. Also, four network performance
metrics have been used to test DCFA such as: throughput, end-to-end delay,
energy consumption and routing overhead.
1.5
RESEARCH SCOPE
This research is concerned with the development of a danger theory-based AIS

intrusion detection algorithm. The proposed algorithm utilizes innate immunity cell
functions as forensic navigators and anomaly-based intrusion detectors in human body
tissues. The focus is on the functions of DCs in innate immunity.
The decision of whether DCs contexts are mature or semi-mature is
implemented with fuzzy logic theory. Verification of the proposed algorithm is
performed on MANET to detect a flooding-based attack called RCA, which is also
called sleep deprivation attack. RCA can be detected in an AODV routing protocol
(Boukerche et al. 2011; Perkins et al. 2003; Perkins & Royer 1999; Royer & Toh
1999; Taneja & Kush 2010) . Simulation using QualNet v5.0.2 has been used to test
both the effect of RCA and the performance of the proposed DCFA.
1.6
RESEARCH METHODOLOGY
As shown in Figure 1.2, this research is conducted in five phases; Phase one includes
Building a comprehensive literature review from all types of published documents,
such as papers, surveys and books related to the research scope. Phase two includes
conducting a simulation to analyze the effect of flooding-based attacks, RCA in
particular, on specific MANET performance metrics such as throughput, end-to-end

delay, energy consumption and routing overhead. In Phase three, an AIS intrusion
detection algorithm called DCFA and its related model have been developed. Phase
four includes conducting a simulation to verify the effectiveness of the proposed AIS
algorithm; the performance evaluation results are analyzed. Figure 1.2 provides a
summary of the research steps. Finally, the results obtained from applying both RCA
and the proposed DCFA have been analyzed in phase five.
Figure 1.2 Research steps

1.7
THESIS OUTLINE
This research is structured as follows. Chapter II presents the review of related

literature. MANET concepts, challenges and routing protocols are introduced. Security
issues are then discussed followed by the efforts to study the effects of attacks on
MANET. Chapter II also presents the biological background of the danger theory in
HIS and provides a brief introduction of fuzzy logic theory. Furthermore, current
research efforts to develop intrusion detection algorithms and AIS algorithms to
protect routing protocols in MANET are surveyed and classified.
Chapter III presents the methodology employed in this research. The danger
theory model, which is the basis of the proposed AIS algorithm, is described. The
AODV routing protocol as the underlying routing protocol in this research and its
vulnerability to RCA are also discussed in this chapter. A detailed description of fuzzy
logic theory is presented and the simulation environment design, simulation
parameters and performance metrics employed in the experiments are detailed. The
vulnerability of AODV routing protocol to RCA is discussed comprehensively in
Chapter IV. A set of experiments and a simulation are conducted to determine the
negative effects of RCA on critical network performance metrics.
The formal description of the proposed AIS intrusion detection algorithm
called DCFA is introduced in Chapter V. The capability of the DCFA algorithm to
detect RCA is analyzed in Chapter VI. This chapter also presents the evaluation of the
network performance metrics when DCFA is applied. Finally, Chapter VII provides a
summary of the thesis as well as recommendations for future research.
10
CHAPTER II
LITERATURE REVIEW
2.1
INTRODUCTION
This chapter introduces a review to the work related to this research. It introduces a
background for MANET and its related topics such as routing and MANET special
characteristics. Security issues over MANET are also explained. In addition, this
chapter summarizes a set of research studies in the effects of attacks over MANET.
Furthermore, it reviews the biological concepts and functions of the HIS and discusses
the previously introduced AIS-based and non AIS-based intrusion detection
algorithms.
2.2
MOBILE AD HOC NETWORK
MANET is defined as a rapidly deployable, self-organisable and multi-hop wireless

network. It is typically set up for a limited period of time and for particular
applications such as the military, disaster areas and medical applications. Nodes in
MANET may move arbitrarily while communicating over wireless links. This network
is typically used in situations where there is no centralized administration or support
from networking infrastructure such as routers or base stations. Thus, nodes must act
as router end-systems and organize themselves in an efficient manner (Chlamtac et al.
2010; Murthy & Manoj 2004).
Figure 2.1 depicts an example of such MANET with 9 nodes. In the figure, the
circle around each node represents its radio range. Node S has one neighboring node,
node number1, within its radio range, but the destination D is beyond its radio range.
Thus, to communicate with D, S must use a multi-hop path S 1 2.
11
Figure 2.1 Mobile ad hoc network
2.2.1
Manet Characteristics
Many up to date studies pay attention to work on MANET as a new technology with
specific characteristics, which distinguish its environment from other types of
networks. These characteristics are as shown in the following (ayrc & Rong 2009;
von Mulert et al. 2012; D. Wang et al. 2008):
C1-Openness: MANET nodes communicate with each other through an open

wireless medium. Hence, the outer attackers can easily join the trusted node
environment.
C2-Limited resources: MANET has limited power and bandwidth capacity.
C3-Mobility and Dynamicity: MANET consists of highly frequently mobile

nodes which cause high dynamicity in its topology changes and
reconfiguration.
C4-Wireless medium signalling: The nodes in MANET interact with each

other through wireless signalling.
C5-Flexibility: MANET could be deployed in any types of areas even if they

are unstable such as military purpose areas, or the areas of frequent nature
disasters.
12
C6-Decentralization and self-organizing: MANET is an infrastructure-less

wireless network with no centralized management points. Every node manages
itself by itself and can help manage the other nodes by sending alarm messages
when an attacker is detected.
C7-Distributed Computation: Each node performs a routing processing and a

security processing and informs the other nodes to help the network to survive.
2.2.2
Manet Routing Protocoles
In all types of networks, routing is considered as the process of discovering certain

destination node under a request from the source node, which needs to send data
packets to that destination and maintaining the connection between them. However,
routing over dynamic mobile nodes in MANET would be a challenge which needs to
be solved by many routing protocols (Royer & Toh 1999; Zhao 2005).
Any
introduced algorithm over MANET either for routing or security should deal
efficiently with a set of aspects. It should perform a distributed computing in each
node in a decentralized, self-organizing and self-healing manner. At the same time, the
algorithm over MANET should adjust its functionality to transfer data over limited
bandwidth using limited amount of the energy consumed(Alotaibi & Mukherjee 2011).
In previous years, routing protocols were classified, based on the routing information
updating mechanism, into two main categories: reactive and proactive routing
protocols.
In the current time, scalability problem which arises when using high number
of disseminated nodes and the need of dealing with the limitation in the flying nodes
battery powers consumed, along with the continuous tries of enhancing the previously
introduced routing protocols, all of these new categories of routing protocols over
MANET as appeared in Figure 2.2 (Boukerche et al. 2011).
In reactive (or on-demand) routing protocols, source node requests a route to
destination nodes, when needed, by flooding route request packets throughout its
neighbors in a stage called route discovery. Source node may request to only, one path
(uni-path) to destination node such as in AODV routing protocol.
13
In proactive (or table-driven) routing protocols, source node preserves routing

information to all existing network destinations in a routing table. Accordingly, the
route to destination is proactively established not like in previously mentioned reactive
routing category. Same as in reactive routing protocols, proactive routing protocols
are divided into uni-path and multi-path routing protocols. For instance, destinationsequenced distance-vector (DSDV) (Perkins & Bhagwat 1994) is a uni-path routing
protocol, However, neighbor table-based multipath routing (NTBR) (Yao et al. 2003)
is a multi-path proactive routing protocol.
Figure 2.2 MANET routing protocols categories

Hybrid routing protocols combine the relating features of both reactive and
proactive routing protocols. Zone routing protocol (ZRP) (Samar et al. 2004). In
multicast routing protocols, source node may discover routes for several destinations
simultaneously. An example on this category is, dynamic core based multicast routing
(DCMP)(Das et al. 2002).
In Geographical (or location-aware) routing protocols, each node can
determine the geographical location of the other nodes and use this information in its
routing protocol. Specifically, the node can use global positioning system (GPS) to
14
determine the accurate coordinates of whatever destination for its communication. An

example of this category is location-aided routing (LAR) (Ko & Vaidya 2000).
In hierarchical routing protocols, mobile nodes are arranged hierarchically,
through clustering techniques. Consequently, the nodes in a higher level of the
hierarchy are responsible for providing special services for other nodes. This technique
reduces the routing overhead and solves the scalability problem especially when the
size of MANET becomes larger. An example on this category is, hierarchical state
routing (HSR)(Iwata et al. 1999). Finally, power-aware routing schemes have been
built to take the decision of routing based on the available energy in the mobile nodes.
An Example on this category is, Power aware routing in mobile ad hoc networks
(Singh et al. 1998).
2.3
SECURITY OVER MANET
The information security as shown in Figure 2.3 is categorized into two main
branches: computer security and communication security. Computer security protects
the host from both the hardware and software intrusions, such as damaging hardware
components and worms or viruses that violate the security services in each part
respectively. Communication security protects the link from passive and active
attacks.
Communication security is divided into two subcategories: transmission
security and emanation security. Transmission security which is the scope of this
research is defined as securing the transmitted data from being revealed to
unauthorized users and securing the link services from being disrupted. Emanation
security secures the visual audio information from being revealed by the receivers
(ayrc & Rong 2009).
15
Figure 2.3 Information security
In any secured system, adding more security functions means adding more
overheads (Sommerville 2004). In MANET this poses a big challenge that may
degrade the network performance. So, securing MANET through lightweight functions
to achieve the intended security goals is very important. It is worthy to say that there is
no perfect 100% secured system in the world.
2.3.1
Security Primitives
Intrusion detection systems formulate a line of defence that captures any malicious
action trying to violate one of the security services. The following intrusion detection
categories are well-known as being used in any intrusion detection technique (Brutch
& Ko 2003):
-
Signature detection: this technique aims to keep all of the well-known attacks
in its database so that it can accurately and effectively detect any encountered
attack. However, this technique fails in detecting newly invented attacks.
Anomaly detection: this technique uses a normal profile for each calculated
parameter which is updated at each period of time. When an abnormal
parameter enters the system, a large enough deviation could reveal the
existence of an attack. The strength in this technique is in its ability to detect
even the newly invented attack. However, it may produce high rates of false
positive alarms.
16
2.3.2
Security Goals
Security is an important aspect in wireless ad hoc networks especially for the more
sensitive applications in military and critical tactical wireless networks. To the best of
our knowledge, until now no research has achieved full secured MANET that is
protected against all the types of attacks (Greensmith 2007; Su & Adviser-Boppana
2009).
However, security systems are doing their best to fulfil as much as they can
from the security goals. The goals of security are to achieve the following
services(ayrc & Rong 2009; Juels 2006; Su & Adviser-Boppana 2009):
-
Authentication: ensures that the node is making a communication with the

intended and correct node.
Access control: protects the nodes and the network resources from being
accessed via unauthorized users.
Confidentiality: protects the transmitted data from being revealed to

unauthorized users. This service is very important to protect messages
transmitted in sensitive cases such as the military messages in war and in the
countrys secret information connections.
Integrity: protects the messages transmitted through the link from being
changed along their path by malicious nodes, so they have to be delivered with
the same contents as they were sent by the source node.
Authorization: giving the claimed node the right to either modify the
information or receive it. It is achieved through integrity and authentication
services.
Non-repudiation: ensures that the source node of the message is the one who
sent it in reality and not someone else.
17
Availability: ensures the existence of network services and resources without

any depletion or disruption by the malicious nodes. This service is performed
against denial of service (DoS) attacks.
Resilience to attacks: ensures the survivability of the network if one or more

nodes have been destroyed or compromised by the intruder.
Freshness: prevents the malicious node from resending spoofed packets and
renewing the intrusion.
2.3.3
Types of Attacks over MANET
There are many types of attacks that form a real threat when applied on MANET; each
type of attack varies from the other ones in the way of applying the threat, the goal of
attacking and the stack layer that is targeted by the attacker. A summary of the
MANET attacks is shown in Figure 2.4. Some attacks are passive and others are
active. Active attacks may be internal or external. In the internal type of attacking the
attacker is located inside the attacked MANET so it is dangerous as the attacker is
considered at the beginning as a trusted node. However, in the external type of attack
the attacker comes from outside the MANET network so it is easier to be detected as it
is not well trusted. Passive attacks have been only performed internally.
18
Figure 2.4 Attacks over MANET

Active and passive attacks are defined as follows (ayrc & Rong 2009; D.
Wang et al. 2008):
Passive attack: in this type of attack, the intruder only performs some kind of
monitoring on certain connections to get information about the traffic without
injecting any fake information. This type of attack serves the attacker to gain
information and makes the footprint of the invaded network in order to apply the
attack successfully. The types of passive attacks are eavesdropping and traffic
analysis(ayrc & Rong 2009); each one is explained as follows:
-
Eavesdropping: The intruder silently listens to the communication by tapping

the wireless link.
19
Traffic analysis: The intruder analyses the traffic communications in order to

gain information about the network topology and hence inject the attack in a
strategic place (e.g. near the cluster head) that help the threat succeed.
Active attack: in this type of attack, the intruder performs an effective violation
on either the network resources or the data transmitted; this is done by causing
routing disruption, network resource depletion and node isolation. Below is a list
of active attacks and brief explanation on each type. Some active attacks depend
on flooding bogus packets mechanism to achieve their threat purposes. The last six
attacks in the list are examples on flooding-based attacks over MANET. All of the
listed attacks lead to DoS attack when lunched over MANET.
Black hole: The intruder injects the control routing packets with fake
information in order to attract the node that requested the route and hence gain
that route. After the intruder acquires the route, the intruder could apply
different types of attacks such as dropping and modifying packets(von Mulert
et al. 2012; Yih-Chun & Perrig 2004).
Gray hole: Same as black hole attack however, when the intruder succeeds in
controlling the route, he selectively drops and modifies the packets (D. Wang
et al. 2008).
Worm hole: In this attack, a cooperation between two intruders as a minimum

is required to communicate through a high speed link to deceive the nodes that
wrongly consider the malicious link as the shortest path to the destined node
(von Mulert et al. 2012).
Dropping packets: The intruder simply drops a packet into the network
destined for the target node. If it performs a selective dropping, it will be
harder to be detected (Baadache & Belmehdi 2012).
Sybil: In this attack, the intruder masquerades under the identity of multiple
nodes.
20
Selfishness: In this attack, the intruder does not relay the others received
packets and suppresses the other nodes to sleep in along back offs on the
medium access control (MAC) layer so it can use the link any time (ayrc &
Rong 2009; Kargl et al. 2005).
Detour: In this attack, the intruder creates virtual nodes on the optimal routes
to appear longer and costlier than the other non-optimal routes; these forces the
nodes to wrongly use the non-optimal route (ayrc & Rong 2009).
Rushing: In this attack, the intruder broadcasts a route request and reply
packets very quickly in order to make the nodes discard any other control
packet in the network (von Mulert et al. 2012; Yih-Chun & Perrig 2004).
Exploiting node penalizing schemes: In this attack, the intruder broadcasts

error messages about well performing nodes and causes jamming to consider
these nodes to be put on the black list (ayrc & Rong 2009).
Routing table overflow: In this attack, the intruder overflows the nodes
routing tables with fake routing information (D. Wang et al. 2008).
Hello flood: In this attack, the intruder broadcasts hello messages to all the
network nodes by using strong enough power to be wrongly considered as their
neighbour(ayrc & Rong 2009).
RCA: and also called sleep deprivation attack has been explained extensively
in section 3.8.
2.4
STUDIES IN THE EFFECTS OF ATTACKS OVER MANET
Studying the effect of certain attack over MANET discovers the points of strengths
and weaknesses of such attack. Therefore, this stage of study is considered as primary
before developing stage of a countermeasure to the attack threats. The following
studies introduced an investigation in the effect of certain attack over MANET.
21
In (Gupta et al. 2002),Gupta et al. studied the effects of flooding attacks on the
802.11 MAC protocol. They measured the effects of such attacks on the throughput of
legitimate nodes. The legitimate nodes located one hop from the attackers are affected
at a much higher degree than those at two hops or more because the one-hop
neighbours of the attackers lose almost their entire throughput under suppression
caused by the flooding.
In (Gu et al. 2007), Gu et al. analyzed the effect of the distributed denial of
service (DDoS) attack on the throughput of legitimate nodes in MANETs. They
examined the effect of remote and local flooding attacks and found that remote
flooding more effectively damages MANETs than does local flooding.
However, the authors in (Yi et al. 2005) investigated the effect of executing
RCA over the AODV routing protocol and used packet delivery ratio only as a
performance metric. They observed that when 30 RREQs/s flooding rate is applied;
the RCA attackers decrease about 97% of the packet delivery ratio. At a 20 RREQs/s
flooding rate, however, the attackers decrease about 50% of the packet delivery ratio.
Also, Ning and Sun in (Ning & Sun 2005) introduced a systematic analysis of
the AODV routing protocol under different attack actions. They explained how each
action is executed on each routing packet in AODV and the goal(s) achieved by
manipulating the protocol. The study is useful for researchers who are interested in
designing secure routing protocols, but the authors tested only one attacker.
Furthermore, they did not consider the vulnerability of AODV to RREQ packet
flooding attack, which strongly threatens the power capacity of network batteries.
In (Nguyen & Nguyen 2008), the authors simulated the effect of four types of
attacks, namely, rushing, black hole, neighbor and jellyfish attacks, on MANET. They
applied the attacks over the on-demand multicast routing protocol and found that as
the number of attackers increases, network performance decreases in all the four types
of attacks. They also determined that increasing the number of sender groups in
multicast routing protocols supports robustness and security.
22
Wallenta et al. In (Wallenta et al. 2010) measured the effectiveness and

efficiency of the interest cache poisoning attack on sensor networks (as a special type
of MANET). In burst attack, as a technique in interest cache poisoning attack, the
attacker continuously floods the network with numerous bogus packets which imposes
the worst effect on sensor caches.
Finally, in (Sakellari 2011), Sakellari evaluated the performance of the
cognitive packet network (CPN) (Gelenbe et al. 2002) routing protocol in MANETs
under the existence of worms and threats. CPN provides quality of service (QoS)
routing by self-learning from special packets. The evaluated performance was
compared with that of open shortest path first (Sidhu et al. 1993). CPN survives and
stays robust in guiding the network under the existence of worms.
2.5
THE HUMAN IMMUNE SYSTEM IN BIOLOGY
As immunology forms a wealth full of biological models and concepts from where
computer scientists inspire their introduced AIS algorithms, it is important to
understand HIS in biology through this section as a background science for any
coming discussion of AIS algorithms in this research.
2.5.1
Introduction to HIS
HIS is considered as a network of cells, molecules, tissues, organs (some are lymph
nodes) that cooperate with each other to protect the human body from invaders.
Human body invaders in biology are termed as pathogens and antigens. Pathogens are
defined as the microbes that cause disease for the human body such as, bacteria,
viruses, parasites and fungi. However, antigens are the molecules or protein segments
(peptides) from pathogens. HIS can recognize pathogens through their correlated
antigens. Each antigen has a specific structure and hence forms a specific pattern to be
detected and processed by the HIS. As a consequence, HIS can recognize its related
pathogen and take the decision either to tolerate or fight that pathogen. (Janeway et al.
2005; NIAIDS 2003).
23
2.5.2
The HIS Cells
In biology, cells are the main structural units which build all of the human body
systems such as, digestive, immune, lymphatic and cardiovascular. In any organism
system, specific functionality types of cells are congregated to form a particular tissue.
In the same way, the collection of same characteristic tissues forms a specific organ.
However, a group of cooperatively same functioning organs work together in same
biological system such as HIS.
The state of cells in HIS is in continuous interactions with human body tissues
environment from one side and with each other in the immune system from another
side. Each cell has receptors which are proteins that bound to the outer membrane of a
cell. These receptors have the capability to recognize various types of the incoming
molecules from body tissues in a lock and key manner. The binding between certain
receptor and molecule called affinity which reflects how much strong the binding is.
This affinity causes receptor activation which leads to many changes for the cell
metabolism, morphology and functionality.
A Molecule reacts to a certain receptor through its epitope portion, whilst a
receptor does the reaction through its paratope portion. Molecules which secreted
from body tissues and control cell behaviors are called cytokines. However, those that
cause immune cells to move and migrate are called chemokines (Alberts 2002; Lodish
et al. 1995). Cells in HIS are divided into two main categories, phagocytes (or Antigen
presenting cells (APCs)) such as, DCs, Granulocytes and Macrophages in the innate
immunity and lymphocytes such as, T-cells and B-cells in the adaptive immunity
(NIAIDS 2003). This requires explaining the two main cooperative HIS subsystems in
subsection 2.5.3.
2.5.3
Innate and Adaptive Immunity
HIS is usually divided into two main subsystems: innate immunity and adaptive
immunity. Each of which has specific functions and characteristics. Specifically,
innate immunity specialized in identifying the general pattern of the incoming
pathogens and inducing adaptive subsystem to determine an exact response (either
24
toleration or fighting) for those pathogens (Janeway 1998). However, adaptive

immunity is more complex and accurate than the innate immunity. It can recognize
specific pattern of the incoming pathogens and memorize their patterns for a long time
(Janeway et al. 2005).
As the innate immunity performs the defense in non-specific manner while the
adaptive immunity protect the human body in specific way, the reason behind this
complementary different resistance operations of these two subsystems needs to be
explored. By navigating deeply in the two subsystems cells, the immunologists found
that in the innate immunity, the receptors of the same types of cells have a fixed
genetic structure and can only recognize a general feature of a group of the incoming
pathogens.
2.5.4
T-CELLs
All of the human bodys cells are born from stem cells initiated from bone marrow
through stimulation operation. T-cells are born in the same way; however they do not
keep static in the HIS but undergo to a circular differentiation as a response to the
incoming signals (molecules). For example, when T-cells receive signals, this induces
its capability to produce cytokines and to be differentiated. Also, these cytokines may
influence other cells to be differentiated such as B-cells in the adaptive immunity.
The maturation place for T-cells is in a lymph node called thymus. In thymus,
T-cells go through two main maturation operations: positive selection and negative
selection. These operations are performed over T-cells in order to protect the human
body from autoimmunity. In other words, these operations filter the T-cells to avoid
them from binding with any of the human body antigens (self antigens). In positive
selection, T-cells that show a weak binding with non-self antigens are killed. In
negative selection T-cells that show strong binding with self antigens are killed
(Kyewski & Derbinski 2004).
After maturation stage, T-cells can be termed as nave T-cells since they have
never met the antigens which can bind with their receptors. This type keeps moving
25
through lymphatic and cardiovascular systems, body tissues until they encounter DCs
in the lymph nodes as explained in the forthcoming subsection.
2.5.5
Dendritic Cells
DCs have three main differentiation states, immature, semi-mature and mature. When
immature DCs receive enough input signals, they become either semi-mature or
mature DCs based on the concentration of specific types of these input signals.
Immature DCs receive four types of input signals, PAMP, danger, safe and
inflammation signals. PAMP signals indicate strongly the existence of infectious
pathogen. Danger signals are released by necroses which are the human body cells
under stress or abnormal death. However, safe signals are released by apoptosis which
are healthy cells or cells that die in a normal way. Inflammation signals are released as
a result of an increase in the cells temperature caused from unhealthy state or
infection. DCs input signals are divided into, endogenous and exogenous signals.
Endogenous signals are those released from the cells of the body itself such as safe,
danger and inflammation signals. However, exogenous signals are the signals released
from the microbes which inter the human body from the outside environment. An
example of this type is PAMP signals (Dasgupta et al. 2011).
When immature DCs are exposed to these input signals, the concentration of
each controls their next terminal differentiation state (either mature or semi-mature
DCs). For example, if the concentration of the received PAMP signals and danger
signals are greater than that of safe signals, this means the differentiation of immature
DCs is to mature DCs. PAMP and danger signals cause the receiver immature DCs to
process its contents and produce a certain cytokine called interleukin-12 (IL-12). Also,
PAMP and danger signals induce immature DCs to produce costimulatory molecules
(CSM), also called CD80/86 in biology.CSM signal simplifies the process of antigen
presentation to the T-cells in lymph nodes. Conversely, if the concentration of safe
signals is greater than that of PAMP and danger signals, then immature DCs should
differentiate to semi-mature DCs. Also, safe signals are responsible for producing
interleukin-10 (IL-10) in this case. Additionally, safe signals induce producing CSM
signals by the DCs same as PAMP and danger signals. Therefore, the received input
26
signals indicate the behavioral context of the digested antigens if either they are benign
or malignant.
Figure 2.5 pictures the three differentiation states of DCs. Although DCs have
same receptor structure in the three differentiation states; they appear different in their
morphology. As noticed in Figures 2.5 (b) and (c), semi-mature and mature DCs have
wider surfaces than immature DC. The reason behind that refers to increasing the
capability of both mature and semi-mature DCs to show their receptors and bind with
T-cells receptors when they are encountered in lymph nodes.
(a)
(b)
(c)
Figure 2.5 States of DC differentiations. (a) immature, (b) semi-mature, (c) mature
(Greensmith et al. 2010)
When immature DCs collect antigens from tissue, the antigens should be
digested into small segments of proteins called peptides. Major histocompatibility
complex (MHC) helps in presenting the peptides on the surface of the DCs
formulating a combination of peptide-MHC, so that it could be easily recognized by Tcells. When immature DCs have been exposed to certain amounts of signals, they
migrate to the lymph nodes in which they encounter naive T-cells (NT-cells). The
capacity of each immature DC for antigens and signals besides the concentration of the
external signals that causes immature DCs to migrate are still ambiguous issues in
immunology (Greensmith 2007).
Activation of T-cells in the lymph node needs two signals to take place. The
first signal occurs when the T-cells epitopes bind with the peptide-MHC on the surface
of the DCs in both cases of danger and safe existence. The second signal is either
emitted from the fully mature DCs as IL-12 to stimulate the T-cell to fight in the
danger state, or is emitted from the semi-mature DCs as cytokine IL-10 to suppress the
27
naive T-cell in the safe state (Bretscher 1999; e Sousa 2001; Oshashi & De Franco
2002).
The communication between DCs and T-cells is an example of the costimulation concept applied by the immune system. Through co-stimulation, HIS cells
transfer in a path of changes and may produce a population of cells to fight against the
incoming danger. For instance, when naive T-cells bind with mature DCs and receive
IL-12, they pass through a set of differentiation processes in a term called clonal
expansions. Clones are then differentiated into memory T-cells (MT-cells) and
suppressor T-cells (ST-cells). One type of effector T-cells called cytotoxic T-cells
which are responsible for killing the incoming pathogen. MT-cells memorize the
recognized malignant pathogen to take a quick fighting response for that pathogen as
soon as it is detected in the body tissues. This type of quick and effective reaction to
the pathogens is called secondary immune response (SIR). However, if the immune
system needs to learn that pathogen through a long time of collection and activation
processes this termed as primary immune response (PIR)(Janeway et al. 2005).
2.5.6
Self Non-Self and Danger Theories
In (Forrest et al. 1994) the authors proposed a self non-self discrimination theory that
has been considered as the essential base for AIS to detect intrusions. Some up-to-date
studies still believe in its correctness and some follow its competitor the danger theory
proposed by Matzinger (1994, 2001, 2002 and 2007). In self non-self, the HIS
tolerates all of the self antigens and fights against all of the non-self ones. Negative
selection is the main operation in the self non self theory. In negative selection, the Tcells which match with self antigens are killed and hence, the remaining T-cells are
considered as detectors for the non-self antigens. Applying negative selection in AIS
results in a drawback of scaling problem that leads to increasing false positive and
false negative alarm rates.
Danger theory takes the decision of fighting the antigen if the danger state
exists. So unlike self non-self, in danger theory the state of danger or safety that
reflects the antigen behaviour is the basic discrimination rule to be considered as
normal or attacker. Danger theory is more efficient because not all self antigens are
28
stable and safe to be tolerated and not all foreign antigens are harmful; for example,
some types of bacteria are useful for making vitamin K for the body. Also according to
Matzinger (1994) there is an ambiguity on the exact definition of self and nonself. In real life, the human immune system does not tolerate the whole self set and
attacks the whole set of non-self. The theory has been developed over the years 2001,
2002 and 2007 (Matzinger 1994, 2001, 2002, 2007). A biological example on the
danger theory model is the interaction between DCs and naive T-cells.
2.6
FUZZY LOGIC THEORY
Fuzzy logic theory (Cox 1992) offers a natural way of representing and reasoning with
human knowledge involving uncertainty and ambiguity. Fuzzy logic was introduced
by Zadeh; a professor of computer science at the University of California in 1965.
Zadehs fuzzy logic theory (Zadeh 1965) provides a robust mathematical model for
dealing with real-world inaccurate data. This theory can be used as a general
methodology to incorporate knowledge, heuristics or theory, into controllers and
decision makers. Zadeh presented the concept of fuzzy logic as a mathematical model
to represent human thought. Fuzzy logic is basically a multi-valued logic that allows
intermediate values to be defined between conventional values like cool and hot.
Notions like freezing, cool, warm or hot can be formulated mathematically and
processed by computers. In this way, an attempt is made to apply a more human-like
way of thinking in the programming of computers and the control of systems.
MANETs are complex and dynamic environments with a substantial number of
uncertainties associated with network and environmental parameters. Moreover,
MANETs are subject to unexpected overloads, failures and they defy accurate
analytical modeling. For that, fuzzy logic appears to be a promising approach to
address many important aspects of current complex MANETs. Numerous fields have
taken advantage of fuzzy logic properties. In MANETs, fuzzy logic has been used to
improve decision-making, reduce resource consumption and increase performance. In
addition, fuzzy logic has been used to adaptively optimize protocol parameters more
accurately and dynamically. Several areas in which fuzzy logic is applied to include
QoS-based routing (Huang et al. 2007; Khoukhi & Cherkaoui 2010; Lopes Gomes et
al. 2011; Xia et al. 2012; Zhang et al. 2004), energy-aware routing (Chang et al.
29
2006a, 2006b; Liang et al. 2007), security (Dai et al. 2009; Kayarkar 2012; Khatri et
al. 2010; Xia et al. 2011) and MAC protocols (Ren & Liang 2005).
2.7
INTRUSION DETECTION SYSTEMS
This section sheds light on two categories of IDSs. Firstly, the non-intelligent-based
IDSs as shown in subsection 2.7.1. Secondly, the intelligent-based IDSs as appeared in
subsection 2.7.2. Subsection 2.7.1discusses many techniques that have been
introduced to overcome specific types of attacks that is lunched over specific protocol
layer (e.g. network layer or data link layer). However, in subsection 2.7.2, a historical
development of some best known AIS intrusion detection algorithms and frameworks
are thoroughly explained. As AIS-based IDSs are newly developed, a few researches
have applied this type of IDSs over MANET. Therefore, some of the mentioned
algorithms have been developed over wired networks, some are applicable over
MANET and only one (according to the best of our knowledge) has been applied over
WSNs.
2.7.1
Non Intelligent Intrusion Detection Systems
Ping et al. (2006) presented flooding-based attack called Ad Hoc Flooding Attack
(AHFA). In AHFA, the intruder broadcasts high rate of RREQ packets towards certain
targeted nodes over MANET in order to consume its energy and the network
bandwidth. The authors proposed a simple mechanism to detect such attack called
Flooding Attack Prevention (FAP). In FAP, each node calculates the rate of receiving
RREQ packet from each node, if that rate exceeds certain threshold it denies dealing
with the requests coming from the intruder. In this work, the authors tested their
proposed mechanism using only one network performance metric which is packet
delivery ration. Accordingly, the mechanism improves the packet delivery ratio only
by 30% compared with the case of zero protection under the effect of AHFA. The
mechanism is failed when the attacker changes its IP address each time it floods its
faked RREQ and cannot be detected by the proposed FAP.
Liu and Shen (2007) proposed a mechanism to mitigate flooding attack which
causes denial of the service from the normal nodes in MANET. According to the
30
proposed mechanism, each legitimate node has to monitor its neighbours and the
traffic coming from each of them. Consequently, each legitimate node should arrange
its buffer by giving certain partition or space for each. For example, if a legitimate
node has n neighbours it should give 1/n space from its buffer for each only. If the
legitimate node receives more than 1/n from any of the neighbours it will simply
discard the packets coming from that neighbor. This mechanism fails in the mobility
environment of MANET because it does not consider distinguishing between
legitimate neighbours and attackers identities. If a group of attackers keep their
movements among legitimate nodes they will have a buffer space in each legitimate
node to inject their flood of faked packets and will succeed in exhausting the network
resources.
Venkataraman et al. (2009) proposed a trust-based mechanism through which
each legitimate node should classify the neighboring nodes into three levels of
trustiness: friends (most trusted), acquaintances (trusted) and strangers (not trusted).
This classification is done according to certain parameters without using any of the
intelligent methods. The considered parameters are, the ratio of forwarded packets by
neighbours compared with the sent packets, the average time response of the neighbor
to route request and the number of intact received packets from that neighbours
compared with the number of the received packets. This mechanism fails in the same
failure scenarios of watchdog bellow.
Kim and Song (2010) proposed a period-based defence mechanism (PFM) to
detect flooding attack which floods request packets and data packets in order to
exhaust network resources such as bandwidth and nodes power capacity. In this
mechanism, each legitimate node should calculate the deviation of each received
packet from the average reception in each period of time. The packets that exceed
certain threshold of deviation are termed in blacklist for that period of time. The
blacklisted packet is then discarded and not forwarded in the next period of time. The
blacklisted packets are recalculated in each period of time which adds computational
overhead on the system and gives the attacker a new chance to inject its flooded faked
packets.
31
Marti et al. (2000) introduced watchdog which detects dropping packets attack
over data link layer. Watchdog overhears whether or not the neighbouring node
forwards the sent packet to the next hop node. This method of overhearing consumes
the nodes limited power in MANET. Also, this method fails when a collision occurs,
or the malicious node changes its power to make it include the previous node but not
the next one.
Lee et al. (2002) applied intrusion detection over DSR routing protocol to
detect black hole attack. The method requires the intermediate node to send route
confirmation request (CREQ) packet to the next hop node on the downstream. When
the next hop node receives the CREQ packet, it checks its cache for a route to the
destination. If it has one, it sends route confirmation reply (CREP) to the source node
in its route information. The source judges the validity of the route in the RREP packet
previously received by comparing its contents with the one in the received CREP
packet. This method is simple and accurate. However, it causes high routing overhead
which leads to degrading the network throughput and performance.
To secure AODV routing protocol, Deng et al. (2002) proposed a source

intrusion detection routing security (SID-RS) mechanism that detects black hole attack
when, only, an intermediate node unicasts a RREP packet. In the proposed intrusion
detection mechanism, when the source node receives a RREP from intermediate node,
it should sends a further route request packet (FRREQ) to the intermediates next hop
node through a new route to verify that it has a route to the intermediate node who
sends back the RREP packet and that it has a route to the destination or not. As soon as
the next hop node receives FRREQ packet, it sends further route reply (FRREP)
packet which includes check results to the source node. Based on these results, if the
next hop node has both a route to the destination and intermediate node, the source
node initiates the route. Otherwise, if it has a route to the destination but does not have
a route to the intermediate node, the source node initiates the route using a new route
to the next hop node and broadcast alarm message to isolate the intermediate node.
Otherwise, if the next hop does not have a route to both the intermediate and the
destination, here the source node will discover a new route.
32
The mechanism introduced by Deng et al. (2002) is efficient in detecting black

hole attack. However, there is more than one drawback. Resending Further Request
from the source node towards the next hop node and waiting for Further Reply from
the next hop node means increasing in routing overhead and delay. Especially when
this mechanism is applied in a large scale MANET and when the mechanism is
applied between long distant intermediate nodes from source node.
Kurosawa et al. (2007) introduced an anomaly based-intrusion detection
mechanism has been introduced to detect black hole attack locally at each node, not
like in previously proposed mechanisms by Deng et al. (2002) and Lee et al. (2002).
When source node broadcasts RREQ packet, each node records the destination IP
address and the destination sequence number in a routing table according to AODV
routing protocol. When a RREP packet is received, each node checks its routing table
to see if there is same destination IP address. If it exists the difference of the
destination sequence number is calculated. The average of this difference is finally
calculated for each time slot as a security profile for each destination. And the average
of each time interval is then calculated. If it is less than or equal to a certain threshold
the node is considered as normal. Else it is considered as malicious node and an alarm
is broadcasted. This work does not need additional routing packets overhead. But its
dependency on threshold to determine the attacker may fall it in false positive error.
The work done by Padilla et al. (2007) proposed a black hole intrusion
detection technique over table-driven tactical MANET using stable power supplied
topology graph server and distributed sensors. An optimized link state routing protocol
(OLSR) (Jacquet et al. 2001) was used. The proposed IDS draws a graph for the entire
network at each certain time interval through spread sensors. So, the truth about the
number of neighbours for each node, which is the main factor for each node to win the
route, appears in this graph. When any node sends a hello message that contains its
information, the system compares the number of neighbours the node claims that it has
with the true number in the systems graph. If the difference exceeds a certain
threshold the node is considered as a malicious node and the alarm is broadcasted.
Otherwise, the node is considered as normal and the route is accepted. The additional
sensors used to help the system build the graph about the network are a cost overhead.
33
Eriksson et al. (2006), Phuong et al. (2007), Su and Boppana (2008) and Su
(2009) proposed a time-based wormhole intrusion detection technique. True-link
(Eriksson et al. 2006) which applied its detection technique over MAC is applicable,
as it is based on a widely used protocol with some extensions. But, there is no
flexibility in the time out which is equal to short inter frame space (SIFS) as
mentioned by True Link. As a result, a false positive alarm may arise if there is a
congestion or traffic load on the link.
Transmission time-based mechanism (TTM) (Van Phuong et al. 2007) depends
on the round trip time (RTT) to detect the wormhole attack. TTM is a simple and
accurate technique that could allocate the position of the wormhole attack in the path.
But, the attackers on the tested path may write a fake RTT value to be the same as the
RTT written by the normal nodes, which increases the false negative rate.
Su and Boppana (2009) put forward certain equations to detect the wormhole
attack, but these equations include some parameters which must be filled by the
detected node which opens the chance for the attacker to fill fake information and
hence overcome the security detection system. True-link is the most self dependable
technique since it does not depend on any outer node to get the required information
for an intrusion detection technique.
Finally, Li et al. (2012), the authors proposed a collaborative and
multidimensional trust-based intrusion detection algorithm for securing MANET. The
proposed algorithm is called gossip-based distributed outlier detection algorithm (GBDODA).G-BDODA identifies the outliers which are defined by the authors as
abnormal behaviours shown from mostly likely attackers. Also, G-BDODA uses a
multi-dimensional management approach to estimate the honesty of the nodes using
different perspectives. The algorithm is efficient and accurate but suffers from routing
overhead drawback. Table 2.1 summarizes the previous non AIS-based intrusion
detection systems.
34
Table 2.1 Non intelligent intrusion detection systems

Authors
Year Contribution
Strengths
Drawbacks
Li et al.
H. Kim &
Song
Venkatarama
n et al.
Su &Boppana
2012 G-BDODA
2010 PFM
-accurate
-simple
-routing overhead
-not accurate
2009 Trust-base
mechanism
2008 NEVO
-simple
-consume energy
-fail in some cases.
- not self dependable.
Kurosawa et
al.
Padilla et al.
2007 Secure AODV -no routing overhead -ambiguous threshold.
Phuong et al.
Liu and Shen
Ping et al.
-simple
2007 Secure tactical -no routing overhead -costly.

MANET
2007 TTM
-simple
-not self dependable
2007 -simple
-fails in high mobility
MANETs.
2006 FAP
-simple
-fails when attacker
changes its IP address.
Eriksson et al. 2006 True-link
-self dependable
Lee et al.
2002 Secure DSR
-simple & accurate -routing overhead
Deng et al.
2002 SID-RS
-simple & accurate -routing overhead
Marti et al.
2000 Watchdog
- low FP
2.7.2
- Susceptible to FP
-consume energy
-fail in some cases.
Intelligent Intrusion Detection Systems
Chelly and Elouedi (2010) introduced using fuzzy logic set in the last stage of DCA
proposed by (Greensmith et al. 2005) to smooth the separation between the normality
and abnormality in the calculated mature context antigen value (MCAV). The fuzzy
logic system consists of two parameters; the first parameter is the semi-mature DCs,
and the second parameter is the mature DCs. The defuzzification stage determines the
final maturity state of each DC and the antigens final context are more accurately
decided. The proposed fuzzy dendretic cell method (FDCM) is tested on a set of data
bases and the results achieve more accurate results than DCA. However, since FDCM
adds little enhancement on DCA and the core of calculating the received antigens
contexts depends mainly on DCA, FDCM still suffers from the same drawbacks of
high false positive rate and low accuracy rate especially when normal and abnormal
antigens are tested simultaneously (Chelly & Elouedi 2010).
35
Dickerson (2000) proposed fuzzy intrusion recognition engine (FIRE) as an

anomaly-based intrusion detection system. FIRE uses fuzzy logic to determine the
existence of transport layer attack, specifically TCP port scan and ICMP (ping) scan in
the wired network. Data mining techniques are used in FIRE to expose the attack
metrics processed by the fuzzy system. Fuzzy output alerts the administration to
perform certain level of security action. The main disadvantage of FIRE is the labor
intensive rule generation process (Dickerson & Dickerson 2000).
Sujatha et al. (2008) used fuzzy logic theory to detect attacks over RREQ
packet in AODV by proposing fuzzy based response model (FBRM). RREQ packet
can be used by attackers by three changes, RREQ rate, RREQ time to live (TTL) and
RREQ sequence number. They apply only one input parameter to detect each type of
attack. Neither network performance metrics nor the security performance metrics are
evaluated in the study. Also, the proposed FBRM does not support identifying the
identity of the attacker to be quickly detected each time it launches its attack. In
addition, the threshold values give the attackers a number of chances to inject their
faked RREQs. Moreover, using several threshold values in FBRM to detect each type
of attack over RREQ packets causes high false positive especially in dynamic
environments such as MANET(Sujatha et al. 2008).
Hofmeyer and Forrest (1999) proposed an artificial immune system to secure
local area networks (LANs) using the self non-self discrimination theory. They
defined the self set to represent the normal connection data set and the non-self set to
represent the abnormal connection data set. Each detector cell (lymphocyte) is
represented as a bit string of length 49 bits. The implementation of the detectors is
represented by string matching. And so, matching between a detector and a non-self
string means an attacker has been found. Each host must have its own detector set
which is analogous to the thymus in HIS. The detector itself is analogous to the
lymphocytes. The detector set produces immature detectors. However, these detectors
do not leave the set until it becomes mature. If one of the immature detectors matches
a self pattern it is killed based to negative selection technique. The killing is left to
only matured detectors. And when the detectors become mature enough (meet enough
number of non-self packets) and failed to kill a new non-self packet it is also deleted.
36
The main drawback in this work is the high false positive alarm rate and low detection
accuracy rate (Hofmeyr & Forrest 1999).
Sarafijanovic and Le Boudec (2004, 2005) introduced the first studies that
utilized AIS to be applied over MANET (Meisel et al. 2010). The detection is applied
over network layer. They depend on a co-stimulation concept represented by a danger
signal to inform about the packet loss on the connection path. In the proposed AIS
architecture, the Thymus module performs a negative selection operation. The danger
module produces the danger signal if no acknowledgment is received for the sent
packet. The clustering module is used to verify the detection. And the clonal selection
module is used to decrease the false positive rate by enhancing the detectors quality
(Sarafijanovic & Le Boudec 2004, 2005).
The proposed AIS registered a detection rate of about 55% but the whole
system could only detect a simple dropping packet attack.
Greensmith (2005, 2007,
2008 and 2010) proposed a new DC-based Algorithm called DCA over wired network.
The algorithm is considered as a main contribution to the danger project established by
Aickelin et al. (2003). It is also built over the libtissue architecture (Twycross &
Aickelin 2006). It is inspired from immunological studies on DCs because of their
desired positive characteristics such as the following:
-
DCs are described as forensic navigators that are distributed all over the tissues
in order to protect the body from invaders.
DCs perform anomaly detection in HIS after they collect antigens and the
correlated signals.
DCs have the power of controlling the adaptive immunity reaction by either
stimulating T-cells or suppressing them.
The algorithm is verified by detecting a port scanning attack (McClure et al.
2005) over a wired network. It proved good results in real time IDS but produces high
false positive and false negative alarm rates.
Kim et al. (2006) and Wallenta et al. (2010) the authors used a theoretical
integration between the DCA and
a directed diffusion routing protocol
37
(Intanagonwiwat et al. 2003) to protect the sensor network from a flooding-based

attack called cache poisoning attack. The signals are extracted from the behaviours of
the received packets. The antigens are extracted from the received packets as well.
Some behaviours indicate the existence of attacks such as the increase in the packet
delivery rate and many other measurements (Kim et al. 2006; Wallenta et al. 2010).
Fanelli (2008a, 2008b, 2010) proposed a Network Threat Recognition with
Immune Inspired Anomaly Detection (NetTRIIAD) model. The NetTRIIAD model
utilized the danger theory and implemented the negative selection in a different way
than the previous self non-self dependent studies. The model consists of two main
layers; the innate layer which emulates the innate immunity in HIS and the adaptive
layer which emulates the general abstract adaptive immunity in HIS. The innate layer
collects data from three data resources: the alert monitor, the host monitor and the
network monitor which represents the tissue in HIS. The collected data are classified
into antigens and signals. According to certain calculations, the innate layer provides
the adaptive layer with a classification for antigens as save or dangerous. The adaptive
layer performs the negative selection on a different way compared to the others
(Fanelli 2008a, 2008b, Jul. 26-29, 2010).
NetTRIIAD is used to detect DoS, dropping packets and delaying packets over
wired networks. NetTRIIAD uses a good correlation method between signals and its
related antigens in the DCs, better than that used in DCA. However, it is a prototype
that does not have enough robustness to protect the real wired networks. Also, it
cannot work properly for the scaling problem and the lack of good self set used in the
negative selection operation.
Drozda et al. (2009, 2010) used the concept of co-simulation and
communication between the innate immune system and the adaptive immune system.
They propose a co-stimulation inspired approach (CIA) that tries to decrease the false
positive rate, increase the detection rate and save the energy consumption at the same
time. CIA detects three types of attacks: wormhole attack, dropping packets attack and
packet delay. All the nodes in MANET must collect the prerequisite data necessary for
the detection (M. Drozda et al. 2009; Drozda et al. 2010).
38
Cooperation between each node and its 2-hops neighbor nodes is required to
exchange the calculated security information. If the first step detects the existence of
an attacker, it stimulates the second step of detection which is energy inefficient and
used for confirmation. Otherwise there is no need for that energy inefficient stage
because it depends on overhearing the packets sent by the neighbor to the 2-hops
neighbor (watchdog). A neural network mechanism is used to improve the CIAs
optimization. However, it has many drawbacks. Firstly, the cooperation between each
2-hops neighbor in the detection causes traffic overhead. Secondly, the 2-hops
neighbor may not be trusted. Finally, the algorithm depends mainly in its confirmation
stage on the watchdog which fails in many cases mentioned in subsection 2.7.1.
Ou (2012) combines the features of DCA and agent-based IDS to introduce an
agent-based AIS (ABAIS). The aim of the proposed ABAIS is to be applied over
internet to detect viruses and internet worms. ABIDS architecture consists of three
main agents in each host, DC agent, T-cells agent (TC agent), antigen agent (Ag agent)
and agent resides in a security operating centre (SOC), namely responding agent (RP).
Ag agent extracts the required antigens for testing from certain data set. DC agent
performs the role of DCA; it receives the extracted antigens and available signals to
produce context value for each antigen. If the context of the tested antigen becomes
mature, Ag agent transfer this result to TC agent as an activation procedure. TC agent
in turn sends antigen MCAV to RP agent. However, RP agent determines if the
antigen is malicious or not in order to make decision of the appropriate response
adopted from SOC (Ou 2012).
Three main factors are adopted in ABIDS to determine the type of the network
intrusion, severity, certainty and the time of attack. These factors are represented in a
vector. The maximum distance between each factor value and certain threshold
indicates the classification of the antigen context if it is normal, harmlessly abnormal
or harmfully abnormal. In this work, the combination between DCA and Agent-based
IDSs relatively adds an advantage to its contribution. However, the dependency on
DCA adds the drawbacks of that algorithm (mentioned in section 1.1) to its detection
operation. Also, if an external attacker joins the system he can represent TC agent
inside his host and communicate with the TC agents of the other host to inject faked
39
security information.
Table 2.2 summarizes the previous AIS-based intrusion
detection systems.
Table 2.2 Intelligent intrusion detection systems
Authors
Year
Contribution
OU
2012
ABAIS
-utilizes two models.
-high FP
Chelly &
Elouedi
Dickerson &
Dickerson
Hofmeyer&
Forrest
Sarafijanovic&
Boudec
2010
FDCM
-utilize fuzzy logic.
-high FP
2000
FIRE
-utilize fuzzy logic
-overhead
Self non-self
algorithm
2004-2005 First AIS
over MANET
-no strength
-high FP
-Accurate
-detect simple
attack
Drozda et al.
2009-2010 CIA
- energy efficient first

stage
-watchdog
dependent
Fanelli
2008-2010 NetTRIIAD
-Detect 3attacks
Kim et al.
2006-2010 Use DCA

over WSN
- detects new attack.
-use negative
selection
-high FP
Greensmith
2005-2010 DCA
-Utilizes DC model
-high FP
Sujatha et al.
2008
-utilize fuzzy logic.
-high FP
2.8
1999
FBRM
Strength
Drawback
SUMMARY
This chapter has reviewed the concept of MANET as a wireless network with special
characterized environment that requires special security techniques and routing
algorithms. The lighter the algorithm (either for security or routing purposes) is
applied over MANET, the more efficiency and effectiveness it could achieve. Also, in
security field, IDSs are not only required to detect intrusions, but also they have to
perform the detection with low false positive and high accuracy rates which are two
major challenges for IDSs over MANET.
40
Existing research studies shows terrible effects of certain attacks on some

performance metrics of MANET. This induces our research to continue in this field
and study, deeply, the flooding-based attacks effects on various MANET performance
metrics. This type of study is considered as a blueprint for developing a
countermeasure for the studied attack in an effective way.
The inspired theories and concepts in immunology, has been reviewed to
understand the discussion of AIS intrusion detection systems. Also, current research
effort in AISs has been reviewed. Our brief analysis of the introduced algorithms and
techniques has revealed many limitations and drawbacks which form a problem
statement that needs to be solved through this research.
41
CHAPTER III
METHODOLOGY
3.1
INTRODUCTION
This chapter describes the methodology utilized to derive DCFA. Two main
computational intelligent theories are applied: danger theory represented in its abstract
DC model and fuzzy logic theory. It utilizes the biological DC model includes
different components and functions, which are clarified in this chapter. The DC
model's components, such as input antigens and input signals and their effect on the
resultant output signals are thoroughly explained. The operation stages of DCs during
their life span are illuminated. These stages include collection stage, processing stage
and immune response control stage. This chapter also provides details on how DCFA
abstracted the biological model of T-cells to be utilized in a useful manner in two
detection pathways, namely, PIR and SIR pathways. The utilization of fuzzy logic
theory is also clarified in each step of its fuzzy stages.
3.2
THE ANALOGY BETWEEN MANET AND THE INNATE IMMUNITY
Innate immunity in biology has an important role in detecting danger coming from the
external environment. It consists of forensic navigator cells, which navigate through
different body tissues to protect such tissues from dangerous pathogens. Innate
immunity cells as mobile, self-organizing, flexible cells inspires the analogy between
the special characteristics of the MANET environment and the abstract features of the
innate immunity environment presented in the study of (Twycross & Aickelin 2005).
Table 3.1 illustrates the analogy between the general innate immunity properties and
the corresponding MANET characteristics.nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn
42
Table 3.1 Analogy between innate immunity properties and MANET characteristics
Innate Immunity Properties
MANET
Characteristics
Innate immunity cells, which navigate through

tissues, are susceptible to an open environment full
of different types of invaders coming from outside
the human body.
Each innate immunity cell has a limited capacity;
thus, each cell processes a limited amount of
proteins and communicates with a limited number of
neighboring cells.
C1 - openness
Innate immunity cells move and organize themselves

and can navigate through different types of body
tissues in a flexible and decentralized manner.
C3, C5 and C6 Mobility, flexibility and

self-organization
Innate immunity cells interact with adaptive

immunity cells through chemical cytokine signals.
C4 - Wireless medium
signalling
Innate
immunity
cells
perform
parallel
computational processing for incoming proteins to
help the human body survive.
C7 - Distributed
computation
C2 - Limited resources
The innate immunity subsystem comprises three biological models of

phagocytes, namely, DCs, macrophages and granulocytes. The three phagocytes
collect pathogens in the human body tissues, process these pathogens and the received
signals and show the processing results to the adaptive immunity subsystem cells (Tcells and B-cells) to control the immunity response. However, the three phagocytes
differ from one another in size, morphology and age.
The advantages of the DC biological model were highlighted in (Steinman
2000). The DC model was also examined thoroughly in many studies on immunology,
such as (Joshi et al. 2012; Lutz & Schuler 2002; Mahnke et al. 2007; Mosmann &
Livingstone 2004). Owing to existing immunological studies on the DC biological
model and their revelations, many computer scientists utilized this model in
computational intelligence as mentioned in Subsection 2.7.2. DCFA, which is the
contribution of the present study to the development of computational intelligent
intrusion detection algorithms, inspires DC biological model of innate immunity.
43
3.3
DANGER THEORY MODEL
The human body lives in an environment full of microorganisms, such as bacteria,

fungi, parasites and viruses. The human body is a suitable environment for most of
these microorganisms. They invade the human body and begin consuming most of its
resources; such consumption could lead to a serious death. However, some types of
bacteria are useful to the human body and help generate vitamin K, which means that
there are exceptions for the danger coming from outside. Accordingly, danger theory
states that intrusion detection in the human body should be performed based on
sensing of infection (danger) caused by a specific pathogen(s). Such infection could
lead to body cell invasion, stress and/or abnormal death. Unlike self-nonself
discrimination theory, danger theory does not detect intrusions based on pattern
matching of nonself antigen detectors.
Similar to microorganism invaders, artificially, MANET attackers perform
their attacks in order to consume network resources, namely, battery power, memory
and bandwidth. The attackers keep lunching their attack to continuously degrade
network performance and to cause the network to crash as in flooding-based attacks.
However, not all surrounding external mobile nodes are attackers. For certain mobile
node, to decide whether a communicating node is an attacker or not, the judgment
should be built based on the behavior of that node and its effect whether it is abnormal
or not. An intrusion detection algorithm that follows self-nonself discrimination begins
its detection with the learning stage to generate a dataset of abnormal nodes; as a
result, attacks can break the algorithm very easily by behaving normally for a short
time before launching an intrusion. In addition, the frequent change in MANET
topology and the continuous movement of the mobile nodes render building a dataset
of attackers infeasible.
Based on the previous discussion, DCFA adopts danger theory model and its
intrusion detection mechanisms. The detection of flooding-based attacks on MANET
is based on sensing of abnormal resource consumption. For example, the abnormality
of the received packets from the same senders identities indicates that they are denial
of service attackers. Therefore, DCFA applies the danger theory model through
applying the communication between DCs in innate immunity and T-cells in adaptive
44
immunity. An abstract model of DCs and T-cells communication, in Figure 3.1, is

employed.
3.4
BIOLOGICAL MODEL OF DENDRITIC CELLS
Two immune response pathways, PIR and SIR, are conceptually applied in DCFA. In
PIR, the abstract DC model plays the key role with assistance from the T-cells. Whilst
the T-cells abstract model is primarily responsible for the SIR pathway with assistance
from innate immunity. The cooperation between innate and adaptive immunity
subsystems is selectively performed to benefit the advantages of each and achieve the
highest performance possible. Figure 3.1, summarizes the key functions performed by
DCs.
Figure 3.1 Main functions of DCs; T refers to T-cells
The algorithm explained in Chapter V utilizes these functions conceptually. In

DCFA, DCs undergo three main stages: collection, processing and immune response
control. Each DC collects an input antigen and its relevant signals at collection stage.
The processing stage begins the moment the first antigen is collected. Considering that
large amounts of antigens should be collected and processed, DCs should work in
45
parallel to face the invasion of differently structured antigens. Figure 3.2 shows the
main DC inputs and outputs performed in DCFA to detect intrusions. Antigens and
four types of signals are required in the processing stage. The signals are PAMP,
danger, safe and inflammation signals. The input signals differ in strength; for
instance, PAMP signals highly induce the production of IL-12 by DCs, whereas
danger signals lowly increase the production of the same interleukin type. On the other
side, safe signals strongly induce the production of IL-10 by DCs and reduce the
concentration of IL-12. The only task of inflammation signals is to amplify the
concentration of the produced output signals. Unlike the previously introduced DCinspired algorithms in the literature, CSM is not utilized as an output signal. Only IL12 and IL-10 are utilized to distinguish whether the migrated DC is semi-mature or
mature.
Figure 3.2 Main inputs and outputs of DC

After the input antigen and its correlated signals are processed in the DCs
through fuzzy logic theory, the DCs migrate to meet the T-cells in adaptive immunity.
The migration of DCs denotes that they are differentiated into either semi-mature or
mature state. The magnitude proportion of IL-12 and IL-10 indicate the differentiation
state of the DCs.
46
3.5
ANTIGENS AND SIGNALS
Human body tissues release various types of signals that result from antigen effects
and the health state of the tissue cells. DCs process the received antigens and signals.
This function can direct the immune response toward the received and processed
antigens. The different categories of signals are fused and processed to judge the
correlated antigen in the same DC. As can be seen in Figure 3.2, antigens as well as
PAMP, safe, danger and inflammation signals are very important input parameters to
the anomaly detection function of DCs.
3.5.1
Antigens
The combination of signals received by DCs can indicate whether the antigens
processed are malignant or benign. In other words, the received signals clarify the
behavior of the collected antigens (whether normal or abnormal); however, they
cannot determine the identity of the source of these behaviors. Therefore, Antigens are
utilized in a different manner in DCFA compared with signals. Antigens determine the
identity of the source that affects the health state of the tissue either in a normal or
abnormal manner. Artificially, antigens are represented by the received data, which
should be classified based on the existing combination of signals and not on antigen
structure as in the self-nonself discrimination theory.
Sampling multiple antigens with different structures in the same DC based on
multiple signals released from different antigens leads to false positive and false
negative results. In specific, if the concentration of PAMP signals exceeds the
concentration of safe signals, all the sampled antigens in a DC will be considered
malignant even though a few benign antigens, which release safety signals that lead to
false positive results, exist. False negative results would be generated otherwise.
The absence of the relationship between the crime and the identity of the
perpetrator may lead to unjust judgment for innocent people. Similarly, the absence of
the relation between the abnormal behavior and the culprit leads to inaccurate results.
Therefore, the algorithm in Chapter V samples only one antigen in each DC and
processes the signals received by this antigen. In this case, each DC is exposed to the
47
antigens related signals, thereby ensuring that antigens are equally tested and
producing a more robust and accurate IDS system.
3.5.2
Input Signals
PAMPs in biology are exogenous signals produced by microorganisms as molecules

released from microbes regardless of pathogenicity (Medzhitov & Janeway Jr 2002).
PAMPs indicate strongly the existence of pathogens; hence, they are considered a
biological signature of the existence of danger. When PAMPs are released from
pathogens, they are received by PRR, which are special receptors of DCs. PAMPs
cause producing IL-12 inside DCs. The output (IL-12) increases as the concentration
of input PAMPs increases.
Danger signals belong to another category of signals that indicate the existence
of danger. Danger signals are endogenous; they are released as a result of human body
tissue stress or the abnormal death of cells (necrosis). Danger signals indicate the
existence of danger but not as strongly as PAMP signals do. The confidence of PAMP
signals in indicating the existence of abnormality is stronger than that of danger
signals. Danger signals can lead to produce IL-12 cytokine but with less concentration
than that produced by PAMP signals. Nevertheless, both categories induce DCs to
differentiate to the mature state and activate T-cells in lymph nodes. Safe signals on
the other hand are released from healthy human body cells. The normal death of
healthy human body cells is called apoptosis. Safe signals strongly indicate the
existence of normality. The receipt of safe signals by DCs induces IL-10 production at
the same strength as that of IL-12 production by PAMP signals. Safe signals
negatively affect the concentration of IL-12.
The effects of safe signals are incorporated with those of PAMP signals for a
more accurate processing of multiple antigens of the same structure. The balance
between the effects of the two categories decreases the possibility of obtaining high
false positive results. Safe signals are artificially represented by data entities that
indicate the normal behavior of the communicating party in the network. As the
concentration of the received safe signals increases, the possibility of DCs
48
differentiating to semi-mature state also increases. If the proportion of safety signals

overcomes that of PAMPs, then the DCs will suppress adaptive immunity.
The increase in heat among tissues causes the release of inflammatory signals.
Increase in tissue temperature indicates that a type of stress exists. Although
inflammatory signals dilate blood vessels in cases of danger and employ cells to
protect the distressed tissue, they do not play the main role in DC differentiation. They
are considered assistant signals; they merely amplify the concentration of the
existing signals.
Inflammatory signals are important in amplifying the magnitude of the three
other input signals, leading to shortened antigen and signal sampling periods and rapid
DC migration to the lymph nodes. Considering that DC migration in the proposed
algorithm does not depend on the amount of collected signals, this type of signal does
not play any role in DCFA. Only three types of signals, namely, PAMP, danger and
safe signals, are utilized. The interaction between these three in each DC is shown in
Figure 3.3. Table 3.2 presents a brief overview of these signals. The effects of PAMP,
danger and safe signals on the production of output cytokines cannot be determined by
certain empirical weights. An abstract description of these effects can be conceptually
represented through input fuzzy set memberships.
Table 3.2 Brief overview of the input signals
Signal category
Exogenous
signal
Indicates the
danger state
Yes
Has
a significant
effect
Yes
PAMP
Danger
No
No
Yes
Safe
No
Yes
No
Yes
49
Figure 3.3 Interaction among the input signals
3.5.3
Output Signals
Two main categories of output signals, namely, IL-10 and IL-12 cytokines, are
included in the DC model utilized in this research as shown in Figures 3.2 and 3.3.
These two signals are produced as a result of processing different types of input
signals by DCs. CSMs is not utilized in our abstraction for several reasons. Firstly,
CSMs in biology involve numerous complicated processes, which could increase the
computation overhead and cause error-prone results. Secondly, CSMs do not affect the
resultant context of the migrating DC. Thirdly, CSMs were utilized in previous studies
as indicators of the amount of produced signals. When the produced signals exceed a
certain threshold, the DCs should stop collecting and processing and migrate to the
adaptive immune subsystem. However, this form of migration dependency is not
employed in the proposed algorithm to avoid the generation of false positive results.
The produced IL-10 or IL-12 with higher concentration can dictate the
differentiation state of DCs. It can also determine the ultimate state of DCs (either
semi-mature or fully mature). When the collection and processing stages are over, the
DCs are obliged to migrate and deliver the results to the T-cells in the adaptive
immunity subsystem. The receipt of IL-10 triggers the T-cells to suppress the immune
response. However, IL-12 is the second signal that activates the T-cells to fight the
presented antigens in the migrating DC. Table 3.3 provides a summary of the main
features of the two output signals.
50
Table 3.3 Brief overview of the output signals

Signal category
3.6
DC
differentiation
Health state
Signal effect
IL-10
Semi-mature DC
Normality
Suppress T-cells
IL-12
Fully mature DC
Abnormality
Activate T-cells
BIOLOGICAL MODELL OF T-CELLS
Negative selection is not applied in DCFA to avoid scaling problem. Only the abstract
functions of T-cells and their differentiation states are utilized. When the primary
immune response is activated, the migrating fully matured DCs meet the naive T-cells
in the lymph nodes. Binding between the DCs and T-cells is considered the first signal
for T-cells through the meeting itself. The second signal released from DCs is either in
the form of IL-12 or IL-10 depending on the previously received DC inputs. In nature,
a signal information fusion processing is performed in a complicated process however,
in this research; the process is abstracted into a simple one with high performance.
The receipt of IL-10 indicates that naive T-cells consider the presented
antigens in the DCs as benign, whereas receipt of IL-12 indicates that naive T-cells
consider the presented antigens as malignant. Another important operation performed
by naive T-cells when they receive IL-12 is differentiation to MT-cells. In DCFA,
MT-cells store the collected malignant antigens to activate a rapid response through
secondary immune response in the future if the antigens appear more than certain
threshold value. Table 3.4 provides a comparison between T-cells and DCs models
which are used in the proposed artificial algorithm.
Table 3.4 A comparison between T-cells and DCs
Cell
type
Input signals
Differentiation
types
Main operation
DCs
PAMPs,
danger and
safe signals
Semi-mature or
fully mature DCs
- Collection and
processing of antigens
and signals
NTcells
IL-10 and IL12
ST-cells or
MT-cells
- Decide the response

type
51
3.7
AD HOC ON-DEMAND DISTANCE VECTOR ROUTING PROTOCOL
The AODV routing protocol (Perkins et al. 2003; Perkins & Royer 1999) is adopted in
this research. AODV is a reactive, self-starting and large-scale routing protocol. It has
been extensively studied and improved over many years, thereby proving its
robustness and benefits. AODV has been chosen because it is a standard routing
protocol which has been proved and studied by many researchers and has several
advantages: Firstly, connection setup delay with the destination is shorter compared
with other MANET routing protocols. Secondly, congested paths are avoided in
AODV unlike in other ad hoc routing protocols. Thirdly, AODV can cope with rapid
ad hoc topological reconfigurations that may affect other routing protocols (Taneja &
Kush 2010). In addition, AODV has been chosen since it represents a wide category of
MANET routing protocols. This category called Reactive MANET protocols and it
includes DSR, TORA and many other routing protocols. All of these protocols have
similar routing mechanism. Believing that by testing DCFA in AODV, leads to
believing that it is indirectly tested over other reactive MANET protocols. However,
AODV is vulnerable to different types of attacks. The following subsections explain
how AODV is vulnerable to RCA on MANET.
In the route discovery process of AODV routing protocol on MANET, the
source node broadcasts a route request (RREQ) packet throughout the MANET nodes
as shown in Figure 3.4(a) and sets a timer to wait for the reply. The RREQ packet
contains routing information, including the originator IP address, broadcast ID and
destination sequence number. Each intermediate node receives the RREQ packet and
maintains the reverse path to the source node besides performing two processes.
RREQ broadcast conducted through QualNet appears clearly in Figure B.1. Firstly, the
intermediate node verifies if it has received the RREQ packet before with the same
originator IP address and broadcast ID and then decides whether to discard the RREQ
packet or accept it.
This verification process helps prevent flooding attacks. Secondly, if the
RREQ packet is accepted, the intermediate node checks the destination sequence
number stored in its routing table. If the sequence number is greater than or equal to
the one stored in the RREQ packet, the intermediate node uni-casts the route reply
52
(RREP) packet to the source node. If no intermediate node has a fresh enough (fresh
destination sequence number) route to the destination node, the RREQ packet
maintains its navigation until it reaches the destination node, which in turn uni-casts
the RREP packet toward the source node as shown in Figure 3.4(b).
(a)
(b)
Figure 3.4 AODV routing protocol. S: source node, D: destination node, N 1 to N 5
intermediate nodes. (a) Propagation of RREQ packet, (b) Path of the RREP
packet
3.8
VULNERABILITY OF AODV TO RCA
RCA (Agrawal et al. 2011; Nadeem & Howarth 2009; D. Wang et al. 2008) is a DoS
attack wherein the attacker exploits the route discovery process in the AODV routing
protocol. RCA has been chosen as an example from a wide range of different types of
flooding-based attacks as the most effective and dangerous attacks over MANET.
Conceptually, flooding-based attacks share the same mechanism of using flooding
technique.
For example, flooding-based attacks includes resource consumption attack
(RCA), hello flood, routing table overflow, routing table poisoning and node
penalizing schemes, each of these attacks uses flooding but with different purposes
from the others. In details, in RCA the attacker uses flooding mechanism to exhaust
the network resources, however, in routing table overflow the attacker uses flooding to
overflow the routing table with stale routes and causing routing failure. Therefore, we
expect that if DCFA has succeeded to detect RCA, it will do same to detect other
flooding-based attacks.
53
In RCA, The attacker continues to broadcast the RREQ packet with a different
broadcast ID to continuously notify each node and consume its limited resource of
energy, bandwidth and memory (Figure 3.5(a)). The attacker does not follow the
AODV rules. It does not set a timer to wait for a reply but continues to flood the
network with RREQ packets as shown in Figure 3.5(b). If destination node D
represents a server, then its service could be isolated by attacker A. MANET is very
vulnerable to this type of attack because its limited bandwidth capacity simplifies the
overflowing of the link very easily and quickly. Congested links become jammed
when MANET links are over flown with malicious packets, thereby interrupting the
accessing services of the available servers in the network.
(a)
(b)
Figure 3.5 RCA. S: source node, D: destination node, A: attacker, N 1 to N 5
intermediate nodes. (a) RREQ continuously broadcasted by RCA, (b)
RREQ packets flooded by RCA
3.9
FUZZY LOGIC THEORY
As shown in Figure 3.6, the fuzzy logic mechanism generally consists of four blocks,
namely, fuzzification, fuzzy rules, fuzzy inference and defuzzification (Cox 1992).
During fuzzification stage, crisp (actual) input parameters , where the set of
possible input parameters is fuzzified into fuzzy linguistic parameters by applying
corresponding membership functions; fuzzy input sets are then obtained. Zadeh
defines linguistic parameters as parameters whose values are not numbers but
words or sentences in a natural or artificial language (Kapitanova et al. 2011;
Zadeh 1973). An input parameter can be associated with one or more fuzzy sets
depending on the calculated membership degrees.
54
Fuzzified values are processed by if-then statements according to a set of

predefined fuzzy rules derived from domain knowledge provided by experts. In this
stage, the inference scheme maps input fuzzy sets to output fuzzy sets. A crisp result is
computed from the output fuzzy set according to the fuzzy rules in the final stage,
which is defuzzification. The crisp output value represents control actions that should
be taken. The aforementioned three stages are called fuzzification, fuzzy interference
and defuzzification, respectively. Each stage is described in detail in the following
subsections.
Figure 3.6 Fuzzy logic mechanism

3.9.1
FUZZIFICATION
During fuzzification, the crisp (actual) value is converted into degrees of membership;
input fuzzy sets are obtained by applying corresponding membership functions. A
membership function is a curve that determines the certainty with which a crisp value
is associated with a specific linguistic value. Figure 3.7 shows an example of a
temperature membership function, where a parameter named x is supposed to
represent the value of temperature. x space can be divided into a range of fuzzy sets
using triangular membership functions, such as freezing and cool. With this scheme, x
no longer jumps abruptly from one fuzzy set to the next. Instead, x loses value in one
membership function and gains value in the next as it changes. If x = -5, then x is
freezing, which has membership value of 0.75 and x is cool, which has a membership
value of 0.25. In other words, x = -5 is mapped into a pair of membership values (0.75,
0.25). Membership functions can have different shapes. Some of the most frequently
used shapes include triangular, Z-shape, S-shape, trapezoidal and Gaussian-shape.
Membership functions are defined either by relying on domain knowledge or through
the application of different learning techniques, such as neural networks (Horikawa et
55
al. 1992; Jang 1992) and genetic algorithms (Arslan & Kaya 2001). A triangular
membership function is specified by three parameters (a, b, c) as follows:
Triangular MF (x; a, b, c) =
xa
ba , <
cx
cb , b x c
0,
(3.1)
where a, b and c are the corner points defining the triangular membership function.
These points can be adjusted to fit the desired membership function data.
Figure 3.7 Temperature membership function

3.9.2 FUZZY RULES AND FUZZY INFERENCE
Fuzzy rules consist of logical rules that determine the relationships between the
input and output parameters of the fuzzy sets in the system. The rules are of the
form IF premise, THEN consequence, where premise is composed of fuzzy input
parameters and consequence is a fuzzy output parameter. The fuzzy rules provided
by experts are often based on common sense and logic. The rule-base of fuzzy logic
can be formally presented in the following format:
Rf: IF (x is A) THEN (y is B),
(3.2)
where x is the input parameter, y is the output parameter, A is the fuzzy sets of the
input and B is the fuzzy sets of the output. Fuzzy inference is the process of
mapping from given input fuzzy sets to output fuzzy sets through fuzzy rules.
Fuzzy inference evaluates the fuzzy rules first and then determines their firing
56
strength. Mamdanis method (Mamdani & Assilian 1975) is one of the most
common and efficient methods utilized to define the firing strength of a rule. In
Mamdanis method, the firing strength of a rule is provided by the firing strength
generated by its antecedent. For example, given the following rules that involve
input parameter x.
R 1 : IF x is freezing, THEN y is freezing.
R 2 : IF x is cool, THEN y is cool.
The firing strength of the rule is simply the firing strength of the IF
part. Supposing that x = -5, then the firing strengths of rules R 1 and R 2 are 0.75
and 0.25, respectively (Figure 3.9).
3.9.3 DEFUZZIFICATION
Determining the firing strengths of fuzzy rules generates multiple fuzzy output sets
that represent modified membership functions. In the defuzzification stage, all
fuzzy output sets aggregate into a single fuzzy set. The single fuzzy set transforms
once again into a crisp output number. Such a number corresponds to a control
action in control applications. The most commonly utilized defuzzification
methods are centroid weighted average, center of singleton and maximum method
(Klir & Yuan 1995). The most frequently utilized and more computationally
efficient defuzzification method is centroid weighted average (Bas & Neira 2003). In
this method, the crisp value of the output parameter is computed by the weighted
average of each output of the set of rules. The output is the x -coordinate of the
centroid. Centroid defuzzification method can be expressed as:
Crispoutput = (nf=1 f wf )(nf=1 f )
(3.3)
where n is the number of rules, f is the membership value of the output

parameter of each rule f and w f is the centroid weight associated with each rule f.
57
3.9.4 FUZZY LOGIC AND DC

Since DCs inputs are a combinations of three types of signals in addition to their
correlated antigen, DCs are in charge of performing a very accurate anomaly detection
function. Signals information fusion requires the use of an efficient technique that can
precisely determine the hazard as well as the safety degree represented by each signal
correlated with specifically structured antigens.
In this research, the fuzzy logic system receives input signals represented by
crisp numerical values. These values should be displayed through the linguistic
parameters to provide each value an accurate proportion of its belongingness to each
parameter. Different sets have to be formulated then processed based on certain rules
and equations to produce an accurate numerical value that can judge the ultimate
output parameter for each input crisp value. These briefly described procedures are
uniquely processed with fuzzy logic theory. Fuzzy logic theory is applied in the DC
model in this research to avoid false positive or false negative limitations similar to
those in the previously proposed DC-based AISs.
Without the use of fuzzy logic theory, the receipt of a signal with a numerical
value from certain antigen, which causes harmful effects on the system environment,
indicates that the recipient DC will consider the signal a PAMP signal. A PAMP signal
increases the proportion of produced IL-12 directly, which in turn may lead to
differentiate the immature DC to mature and activate T-cells to fight the presented
antigen. Two limitations exist in this scenario. Firstly, the presented antigens may
cause harmful behaviors due to temporal conditions and not because they are actually
malignant. Secondly, if the input signal value is numerically very close to that of a safe
signal, doubts would exist as to whether that signal is PAMP. Likewise, the
correctness of its consequent results would be inaccurate as well.
Therefore, the proposed algorithm in Chapter V utilizes the advantages of
fuzzy logic theory in processing input signals correlated with specific input antigen to
determine the eventual DC differentiation state based on the output result. In fuzzy
logic theory, DCs process the input signals in three stages: fuzzification, fuzzy
inference and defuzzification. In fuzzification stage, the crisp input value of certain
58
signal values should be represented within fuzzy input sets. These input sets have a
certain proportion of belongingness to predefined input parameters. Such proportion of
belongingness is called fire strength. If the input signal is released by the RREQ
packet, the parameter would be defined as safe, low PAMP and high PAMP. If the
input signal is released by the unhealthy connection state between a node and its
neighbors, the parameter would be defined as low danger and high danger. Parameters
are represented by input membership functions. Three function shapes, namely,
triangular, Z-shape and S-shape, are utilized to represent input membership functions.
A set of rules is defined in inference stage according to the strength of each
signal category to map the fuzzy input sets to fuzzy output sets, which are represented
by output membership functions. Mamdani's method is employed as the main
technique in this mapping. DCFA defines two output membership functions, IL-12 and
IL-10 and the interference region between them to produce an accurate result. Centroid
equation is applied in defuzzification stage to aggregate the resultant output
membership functions and produce an accurate value. This accurate value is utilized as
the fuzzy threshold value that determines the effect of the input signal (causes
differentiation to semi-mature or fully mature DC).
3.10
SIMULATION ENVIRONMENT
This section explains the environment where the experimental simulations are
performed. Specifically, the simulation parameters and main performance metrics
utilized are discussed.
3.10.1 SIMULATION PARAMETERS
The experiments are conducted using the QualNet version 5.0.2 scalable simulator
developed by Scalable Network Technologies (Simulator). The data points presented
in the experimental results are calculated as the average of five simulation runs to
eliminate the effect of any anomalous individual result. This approach is adopted
because of an observed realistic variance among the points in five or more simulation
runs. Table 3.5 lists the fixed values of the parameters employed in all the
59
experiments. Some values may vary in certain experiments performed in the

forthcoming chapters.
Table 3.5 Simulation parameters

Parameter
Network area
Value
1500 m 1500 m
Node speed
08 m/s
Bandwidth
11 mbps
Packet size
512 bytes (excluding header size)
MAC protocol
802.11
Mobility model
Random way point (T Camp 2002)
Antenna model
Omnidirectional
Path loss model
Two ray
3.10.2 PERFORMANCE METRICS

Experiments are performed to test security and the network performance metrics. In
security systems, the Performance metrics of IDSs are classified into two main classes:
normal (expressed by a negative term) and attack (expressed by a positive term). True
negative, true positive and accuracy reflect a high performance IDS operation. False
positive and false negative reflect a low performance IDS operation.
Table 3.6 presents additional details on the main intrusion detection
performance metrics measured in this research (Wu & Banzhaf 2010). The most
common IDS performance metrics are false positive rate and detection rate. A low
percentage of false positive and false negative rates indicates that the detection
mechanism is as accurate and trusted.
60
Table 3.6 Intrusion detection performance metrics

Metric
Explanation
False positive
(FP)
Normal node is incorrectly considered as

attacker
False negative
(FN)
Attacker node is incorrectly considered as

normal
True positive
(TP)
Attacker node is correctly considered as

attacker
True negative
(TN)
Normal node is correctly considered as

normal
Accuracy
True detection rate
Equation
+
+ + +
On the other hand, four main network performance metrics are examined,
namely, throughput, end-to-end delay, routing overhead and total energy consumption.
Throughput is the number of bits received on the destination per unit of time. It
represents the average of the throughput values for destinations in each experimental
result. End-to-end delay is the duration between the time at which the first bit of a
packet is sent from the source node side and the time at which the last bit of the same
packet is received on the destination side. The average of this duration for destinations
is recorded in each experiment.
Total routing overhead represents the two main AODV parameters that are
visibly affected by RCA. The effect increases the routing overhead. The first
parameter is the total number of retried RREQ packets in each experiment, which
measures the frequency of source node failure to establish its route to the destination.
The second parameter is the total number of RREP initiated, which indicates the
number of RREP packets unnecessarily initiated under the RCA problem. In our
experiments, the total energy consumed from the battery of the nodes is measured by
mjoule 1. Energy saving is a significant topic in MANET considering that the amount
of energy in the nodes batteries is finite. A node consumes its battery energy in three
main states: transmission, receiving and idle modes. Therefore, the total number of bits
that can be sent is equal to the nodes battery energy divided by the energy required by
each sent bit.
1
The unit of energy is joule. mjoule is millijoule, which is equal to 110-3 joule.
61
Figure 3.8 depicts the architecture of a general wireless radio energy model
(transceiver). Equation 3.4 represents the total energy required to send k bits. P on ,
P sp , P tr and P idle in the equation represent the power consumed values in active, sleep,
transient and idle modes, respectively. However, T on , T sp , T tr and T idle are the time
durations of the active, sleep, transient and idle modes, respectively. Equation 3.4
calculates total energy by multiplying the power consumed in each state with the time
duration at that state because power is measured in watts and each watt represents the
flow of one joule per second.
Figure 3.8 Radio energy dissipation model (transceiver). (a) Transmitter, (b) Receiver
(Cui et al. 2005; Simulator)
= P on .T on + P sp . T sp + P tr . T tr + P idle . T idle
(3.4)
As indicated by the wireless energy transceiver, the active mode reflects the
state of sending or receiving packets. Cui et al. (Cui et al. 2005) reported that the
power consumed in sleep mode is very low compared with that in active mode; hence,
they assigned a default value of zero to P sp. The power consumed in transient mode is
that required by the frequency synthesizers in the transceiver. Frequency synthesizers
are circuits that create frequency to turn on other circuits. T tr reflects the time duration
from the moment the frequency synthesizers start up until the moment they settle
down; T tr has a negligible value. Given that the frequency synthesizers start up only
once, P tr also has a negligible value.
The power consumed in idle mode (P idle ) is that required by the node to keep
listening for the wireless channel, especially in MANET. The mobile nodes do not
perform actual receiving but are almost always notified by the wireless channel; this
process consumes a considerable amount of energy. Hence, the power consumed in
idle mode is valuable to be investigated. The energy consumed in transmit mode E 1 ,
62
receive mode E 2 and idle mode E 3 is calculated with Equations 3.6, 3.7 and 3.8,
respectively.
= P transmit .T transmit + P receive .T receive + P idle . T idle
(3.5)
E 1= P transmit .T transmit
(3.6)
E 2= P receive .T receive
(3.7)
E 3= P idle .T idle
(3.8)
All experimental energy consumption simulations apply the Micaz energy

model, which is pre-configured according to the specification of the power
consumption of Micaz motes (embedded sensor nodes) (Cui et al. 2005; Feeney &
Nilsson 2001; Simulator).
3.10.3 SIMULATION VERIFICATION
Verification is summarized in a question: Are we building the system right? Therefore,
it means to insure that the conceptual simulation model is implemented correctly in
the computer representation (Banks et al. 2010; Sommerville 2004). For verifying a
simulation computer program different techniques are adopted. However, we use the
following techniques in verifying the simulation of RCA and DCFA simulation
models:
i.
Building and debugging DCFA program with modules separately using

C++ Language: For the purpose of verifying DCFA model, a separate C++
DCFA program has been developed and its functions tested gradually. The
required functions have been programmed and, carefully added after being
debugged and tested. According to DCFA model, Antigens controller has been
firstly programmed and tested. Then, Fuzzy logic theory has been built in
separate C++ program, debugged and tested before it has been added to DCFA
model in the simulation. The adaptive immunity functions, also added one by
one in the simulation after being tested until the whole development of DCFA
model has been finished.
63
ii.
Testing fuzzy logic component outputs using MATLAB-R2012a numerical

computing environment: Fuzzy logic component as an important component
for anomaly detection operation in DCFA has been verified and carefully
tested. Specifically, in DCFA C++ program, the output result of a set of input
values for signals has been compared with the output results of the same set of
input values comes out from the fuzzy function of MATLAB-R2012a.
iii.
Making DCFA model code as self-documenting as possible: Each

component and each function in DCFA model code has been documented to
explain function name, function layer (according to the international standard
organization open system interconnection (ISO-OSI) network layers) and the
purpose of the function. Also, each decision making or repeating loop code
scope has been identified and documented. The documentation has been done
for declared and initialized variables, structs, constants and the sentences with
specific functions. The resultant DCFA model code is well understood and
readable and does not contain ambiguous statements or variables. In addition,
all of the variables, structs, functions and constants have been declared with
meaningful name for example, Memory T-cell function name in the simulator
is: Tmemory(int srcIndex, int flag).
iv.
Tracing simulation program with interactive trace file: QualNetv5.0.2

contains a trace file which reads the output results from a finalize function
located at the end of DCFA model code file. The finalize function is called at
the end of simulation to show the contents of events list, the state trace
variables and the statistical counters. The number of received RREQ packets at
each node, the number of times each node is attacked and other simulation
events have been traced and monitored carefully through the QualNetv5.0.2
trace file.
v.
Using QualNetv5.0.2 Graphical User Interface (GUI): QualNetv5.0.2 GUI

has been used and adopted to show the simulated network scenario graph very
clearly. The CBRs, the positions of attackers and legitimate nodes have been
fixed visibly. As shown in the simulation graphs in Appendix B, GUI allows
the user to confirm that certain events is working correctly such as, RREQ
64
broadcast by AODV, RREQ broadcast by attackers with radio range 200m and
RREQ broadcast by attackers with radio range 400m. Monitoring the events
through the GUI animation confirms processing these events through DCFA
model code.
vi.
QualNet simulator is highly used in the research: QualNet simulator model

has been used by many researchers in testing, verifying and modeling
algorithms in distributed systems. This thesis uses QualNetv5.0.2. Many
research works published in impact factor journals have used QualNet
simulator of versions less than 5.0.2. For example, the authors in (Er & Seah
2006) have used QualNetv3.7 to analyze a distributed multi-hop clustering
algorithm over MANET. Also, the authors in (X. Wang et al. 2012) have used
QualNetv3.9 to test their introduced analytical model over multi-hop wireless
networks. In addition, the authors in (Hegde et al. 2013) have used
QualNetv4.5 to test their centralized integrated approach which aims to
enhance IEEE 802.11 infrastructure over wireless local area network (WLAN).
3.11
SUMMARY
The abstraction of the DC model and T-cells model and their interaction are clarified
in this chapter. This chapter shows that biological models would be effective in
building IDSs only if certain concepts and functions are carefully selected without
burdening the system with extra overhead. For example, signals and antigens in
biology interact with each other in a very complex manner. Such complexity should
not be transferred to the computational system if one wishes to obtain benefits from a
certain function of that interaction.
Also, the representation of CSMs is considered useless because DCFA does
not depend on the magnitude of CSMs in DC migration. Hence this type of output
signals is neglected. Furthermore, the processing of antigens and signals in DCs,
which remains insufficiently described in biology, is implemented with accurate fuzzy
logic theory to avoid false positive or false negative rates in the detection results.
65
Self-nonself theory is not stratified in T-cells biological model. This means

negative selection algorithm is not utilized in DCFA because of the previously
mentioned problems. However, the abstract role of naive T-cells as a responder for the
migrating DCs is utilized. Specifically, the type of response of these T-cells is
employed in the primary immune response pathway according to the differentiation
state of the migrating DCs. Moreover, the conceptual role of ST-cells and MT-cells is
adopted in the adaptive immunity.
The abstraction adopted in DC and T-cell biological models, aside from fuzzy
logic theory employed in the processing stage of DCs, promises to build a robust selfhealing and self-organizing intrusion detection algorithm in this research. The aim of
this research is to test the capability of DCFA to achieve the promised robustness
through simulation experiments. A list of network performance parameters is
established in this research. The mitigation of the attack effect is also evaluated by
applying DCFA as will be presented in the subsequent chapters.
66
CHAPTER IV
EFFECTS OF RCA ON MANET PERFORMANCE
4.1
INTRODUCTION
All MANET routing protocols can be easily attacked if an attacker identifies the
targeted points of vulnerability of the network protocols. Many intrusion detection
mechanisms have been introduced to protect the routing schemes in MANETs. For
example, SEAD was introduced to protect the DSDV routing protocol. Security ad hoc
on-demand distance vector (SAODV) protocol was designed as an extension to protect
the AODV routing protocol. Ariadne was proposed to secure the routing functions in
DSR routing protocol. Numerous other security measures over network layers have
been put forward, including secure routing protocol.
Securing routing schemes in MANET has been considered a crucial research
issue. Attackers can easily eavesdrop on communications between nodes because of
the wireless medium used. The limited bandwidth of MANET renders its nodes
vulnerable to isolation and its links susceptible to frequent break. In addition, the lack
of centralized authorization and security cooperation simplifies the process of
individual attacks on each part of an entire network. Consequently, MANET is
subjected to many types of attacks. Flooding-based attacks are some of the most well
known because these are dangerous and effective. The types of such attacks are, hello
flood attack, routing table overflow, exploiting node penalizing schemes and RCA.
These
attacks
are
explained
in
subsection
2.3.3.nnnnnnnnnnnnnnnnnnnnn
67
Even though each type of flooding-based attacks has a specific corresponding

goal, all of them share the same attack mechanism, thereby yielding the same results.
In particular, the aforementioned attacks depend primarily on the flooding fake packet
mechanism. Flooding depletes network bandwidth and exhausts the battery power of
nodes. As a consequence, when a legitimate node is suppressed by a flooding-based
attack, the node fails to secure sufficient bandwidth or energy to either receive or send
packets. This drives other nodes to cut off any connection with that node. As a result,
the targeted node is isolated from the network. However, an attack on a targeted node
that represents a server is translated to a DoS attack. Therefore, analyze RCA is
chosen according to its corrupting effects.
Although the effects of many types of attacks have been analyzed in the
literature, the studies have focused on the effects of flooding-based attacks on only one
or two network performance metrics. To the best of our knowledge, no research has
introduced a comprehensive study on the effects of flooding on main targeted
resources, such as routing overhead and energy consumption. In addition, researchers
have not ascertained the severity of flooding-based attacks under varying types of
attack factors (e.g., varying flooding rate and radio range). This chapter introduces a
simulation-based study of the effects of RCA on several network performance metrics,
namely, throughput, end-to-end delay, energy consumption and routing overhead.
AODV is chosen as a routing protocol susceptible to RCA and because of its
advantages as mentioned in subsection 3.7 (Taneja & Kush 2010).
Simulation determines the severity of RCA effects under a combination of
four factors: the number of attackers and attackers positions is varied and the
attackers radio range and flooding rate is modified. The results confirm the intuitive
assumption that RCA dramatically affects MANET performance when the number of
attackers increases. In most scenarios, the strongest RCA effect occurs when both the
attackers flooding rates and radio range increase.
68
This chapter contributes to literature as follows. First, it introduces a

simulation-based study that demonstrates the behavior of flooding-based attacks over
MANETs. Second, it identifies four combinations of attack factors under which the
effects of flooding-based attacks on network performance metrics clearly vary. Third,
this study may draw a blueprint for researchers to facilitate the development of
intrusion detection and prevention algorithms as a countermeasure for flooding-based
attacks.
4.2
EXPERIMENTAL DESIGN
This chapter derives the simulation results by conducting two main scenarios:
scenario A and scenario B. In both scenarios 100 nodes are run during 200s simulation
time. However, each scenario applies its experiments by varying a combination of two
factors. Scenario A studies the effect of different positions of RCA attackers (e.g.,
near-source, near-destination and random), with varying numbers of attackers (2, 4, 6,
8 and 10) in each position factor. This experimental scenario retains an RREQ
flooding rate of 10 RREQs/s. Also, the radio range of all the attackers is 250 m,
identical to that of legitimate nodes. Figure in Appendix B shows the random
distribution of attackers applied in QualNet.
Scenario B involves varying the flooding RREQ rate factor by 10, 20 and
30 RREQs/s, including the RREQ packet header. Each of these flooding rates is
applied in parallel with different attacker transmission ranges (200, 250, 300, 350 and
400 m). Scenario B maintains the application of 4 attackers, which are randomly
located in each experiment. RCA attackers initiate flooding against two separate CBR
connections. The two connections differ from each other in terms of their connection
time. The first connection, CBR-1, is initiated from the beginning of the simulation
until the end, whereas the second connection, CBR-2, begins after 100 s and continues
until the end of the simulation. The attackers start flooding at 2 s into the simulation
until the end. A traffic load of 1 RREQ/s in each connection is used, which helps
69
clarify the effect of high traffic loads caused by RCA. Table 3.5 lists the other fixed
parameters used in all the experiments. Figures in Appendix B show the difference
between applying attackers with radio range 200m and 400m, respectively in QualNet.
4.3
EXPERIMENTAL RESULTS FOR SCENARIO A
This section presents the effects of varying the number of attackers and their positions
on throughput, end-to-end delay, energy consumption and routing overhead metrics. In
the near-source position, the attackers (A1, A2) are located either one or two hops
from the source node(s) as shown in Figure 4.1(a). The same is depicted on Figure
4.1(b) for the near-destination node (D) position. In the random position, however, the
attackers are spread along the path between the source and destination nodes as shown
in Figure 4.1(c). In this position, the attackers target the source node, destination and
intermediate nodes in their routes.
(a)
(b)
(c)
Figure 4.1 Distribution of RCA attackers with different positions. (a) Attackers A1
and A2 are one hop and two hops away from source S, respectively, (b)
Attackers A1 and A2 are two hops and one hop away from destination D,
respectively, (c) Attackers A1 and A2 are randomly located along the path
between source S and destination D
70
4.3.1
EFFECTS OF RCA ON THROUGHPUT AND END-TO-END DELAY

FOR SCENARIO A
MANETs are highly vulnerable to flooding-based attacks because of their limited

bandwidths. As is executed in RCA, flooding bogus RREQ packets causes congestion
in targeted links. In our experiments, targeted links pertain to those of the source node,
destination node and/or the route between them. Congestion causes collision between
data packets and bogus RREQ packets, thereby leading to data packet dropping.
The experimental results in Figure 4.2(a) confirm that network throughput
decreases as the number of RCA attackers increases. RCA causes this difference under
8 and 10 attackers. When RCA employs 10 attackers, random position reduces around
89.9% of the network throughput relative to the normal scenario (zero attackers).
However, the near-destination position is slightly less effective than the random
position; it decreases around 87.3% of throughput, whereas the 10 near-source
attackers reduce around 82.4% of throughput relative to the normal case. The 10
attackers in both the near-source and random positions prevent CBR-2 from being
established and dramatically degrade the throughput of CBR-1. In the two cases, the
connection between source and destination nodes in CBR-2 is broken.
Figure 4.2(b) illustrates the effect of each attacker position on throughput. Each
column represents the average effect of all the attack numbers distributed in the same
position. The highest effect is imposed by the average values of all the numbers of
attackers distributed near the source node. The random and near-destination attackers
record second- and third-severity, respectively. Conceptually, when near-destination
attackers flood bogus packets toward a destination, they strongly prevent data packet
delivery. This prevention is successfully achieved by RCA, regardless of the number
of attackers. By contrast, near-source attackers prevent and/or postpone the source
from establishing new routes and/or placing data packets on a link because of high
competition from RCA attackers on the wireless link. This method of preventing data
71
packet production cannot be effectively performed unless a high enough number of

attackers exists (at least 10, as shown in Figure 4.2(a)).
(a)
(b)
Figure 4.2 Effect of the number of attackers and their positions on throughput. (a)
varying the number of attackers, (b) the average of throughput
The random attackers exhibit effects that fall between those of near-source and
near-destination attackers, but the former outperforms the last two attackers when they
are 8 or more. Figure 4.3(a) compares the effect of different attack positions on end-toend delay, in which the number of attackers is varied. The near-source position has the
highest effect on end-to-end delay in all the scenarios. Using 10 near-source attackers
increase delay by around 94.2% relative to the normal scenario. In addition, using 10
random and 10 near-destination positions increase delay by 90.5% and 89.1%,
respectively.
Figure 4.3(b) confirms that the near-source attackers outperform the others in
terms of the attack positions. If the attackers surround the source node and flood the
RREQ packets toward its link, this situation is sufficient to cause link jamming. The
flooded RREQ packets compete with the sources data packets on the link, indicating
that each bit of the waiting data packet is accorded a low possibility of being placed on
the link. Moreover, RCA creates enough jamming to suppress the transmission of data
packets from the source by dropping the packets, thereby retransmitting lost packets
and increasing delay.
72
(a)
(b)
Figure 4.3 Effect of the number of attackers and their positions on end-to-end delay.
(a) varying the number of attackers, (b) the average of end-to-end delay
4.3.2
EFFECTS OF RCA ON TOTAL ENERGY CONSUMPTION FOR

SCENARIO A
In Figures 4.4(a), 4.4(b) and 4.4(c), the effects of increasing the number of attackers
exhibit the same pattern (increasing or decreasing) across the three positions. The
energy consumed in receive mode continuously increases as the number of attackers
increases. However, the energy consumed in transmit mode only slightly and slowly
increases. This result indicates the success of RCA to impose the legitimate nodes
upon receiving high rate of bogus RREQ packets and its success in suppressing these
nodes from transmitting their data packets.
Conversely, the energy consumed in idle mode decreases as the number of
attackers increases, indicating that the legitimate nodes, which are classified in the
normal scenario as listeners have been assigned as destinations by RCA. The nearsource and random attackers increase the energy consumption of the legitimate nodes
in receive mode with the same percentage (about 97.6%). The near-destination
attackers increase energy consumption by 96.44%.
Figure 4.5(a) depicts the total energy consumed by all the simulated legitimate
nodes. The total energy in each attack position is calculated using Equation 3.5. As
73
shown in Figure 4.5(a), 10 random attackers increase the total energy consumed by the
legitimate nodes by 73.5% over that consumed in the normal scenario; 10 near-source
attackers and 10 near-destination attackers cause legitimate nodes to consume energy
that is respectively 72.7% and 63.6% higher than that consumed in the normal
scenario. The general effect of each attack position in Figure 4.5(b) also confirms that
from an attack perspective, the random attackers outperform the other two.
(a)
(b)
(c)
Figure 4.4 Effect of the number of attackers on the energy consumed in each mode.
(a) near source attackers, (b) near destination attackers, (c) random
attackers
74
(a)
(b)
Figure 4.5 Effect of the number of attackers and their positions on total energy
consumed. (a) varying the number of attackers, (b) the average of total
energy consumed
4.3.3
EFFECTS OF RCA ON ROUTING OVERHEAD FOR SCENARIO A
In AODV routing mechanism, when a source node broadcasts RREQ packets to

discover a new route to a destination node, the node sets the timeout for receiving the
RREP packet to 2 * TTL * NODE_TRAVERSAL_TIME milliseconds. Given that
TTL= TTL_START, TTL should be increased by TTL_INCREMENT and a new
RREQ should be rebroadcast if no RREP is received within the timeout. This process
is repeated if the source node does not receive the RREP within the specified timeout
until TTL reaches TTL_THRESHOLD. After this, if still no RREP is received, the
source node can rebroadcast the RREQ using TTL = NET_DIAMETER up to a
maximum of RREQ_RETRIES times.
Figure 4.6(a) shows that the number of retried RREQ packets increases as the
number of attackers increases, indicating the existence of obstacles in establishing new
routes. These obstacles are imposed by the RCA attackers, thereby continuously
preventing communication between source and destination. Figures 4.6(a) and 4.6(b)
illustrates that the near-destination attackers are most effective on the retried RREQs.
This interpretation is the same as that made for throughput. When the RCA attackers
are near-destination, they cause jamming all around its wireless links. This jamming
75
may interrupt any packet from being delivered to a destination because the congested
links cause packet collision and increase the possibility of packet delay and dropping.
The 10 near-destination attackers increase the number of retried RREQs by 85.7%.
The 10 random attackers are slightly less effective than the near-destination attackers;
they increase the number of retried RREQs by 83.7%. By contrast, the 10 near-source
attackers increase the RREQ overhead only by 60.7%.
(a)
(b)
Figure 4.6 Effect of the number of attackers and their positions on the retried RREQs.
(a) varying the number of attackers, (b) the average of retried RREQs
As indicated by the simulation experiments, the increase in the number of
RREPs is initiated by the destination and intermediate nodes. In Figure 4.7(a), all the
attackers in different positions overload the network with more RREPs as the number
of attackers increases. The 10 near-source, near-destination and random attackers
achieve the highest overloads of about 99.94%, 99.93% and 99.92%, respectively. The
percentages do not significantly differ because of the considerable RREP overhead
created by RCA. Figure 4.7(b) indicates that the average effects of the near-source
attackers under all attacker numbers overload the network with more unnecessary
RREP packets than that observed in near-destination and random attackers. The RREP
is regarded here as unnecessary; because they are created by the legitimate nodes as a
response to RCA attackers and not to the RREQs of the legitimate source nodes.
76
(a)
(b)
Figure 4.7 Effect of the number of attackers and their positions on the initiated RREPs.
(a) varying the number of attackers, (b) the average of initiated RREPs
4.4
EXPERIMENTAL RESULTS FOR SCENARIO B
This section examines the effect of varying the attackers radio range and flooding
rates under the same network performance metrics discussed in section 4.3. Increasing
the radio range involves increasing the attackers legitimate neighbors, the number of
RCA victims and the area affected by the attack. The effects of such specifications are
depicted by the shaded circles in Figure 4.8. The circles represent attacker A, and
radio ranges. Increasing the flooding rate accelerates congestion creation, which
rapidly degrade the network performance.
Figure 4.8 Effect of increasing attackers radio ranges: radio range > radio range
> A radio range
77
4.4.1
Effects Of RCA On Throughput And End-To-End Delay For Scenario B
As seen in Figures 4.9 and 4.10, at a flooding rate of 10 RREQs/s, increasing the radio
range slightly degrades network throughput and slightly increases end-to-end delay.
Conversely, at a flooding rate of 20 RREQs/s, RCA attackers strongly affect
throughput and end-to-end delay beginning at a radio range of 350 m and higher. Also,
at the same flooding rate, the RCA attackers prevent CBR-2 from being established
starting at a radio range of 350 m. In addition, the attackers effectively break down
both CBR-1 and CBR-2 at a radio range of 400 m. At a flooding rate of 30 RREQs/s,
however, RCA dramatically and rapidly affects the network performance metrics.
Specifically, when RCA deploys attackers at a flooding rate of 30 RREQS/s, they
isolate the source node from the destination node in one of the experiment connections
at a 300 m radio range. The attackers also break the CBR connections at a radio range
of 350 m and above because they can suppress numerous legitimate nodes. This
suppression is achieved by the flooding effect as the attackers expand radio range.
Thus, wider areas of congested links that cause packet dropping and delay are created.
It is clear from Figures 4.9 and 4.10 that RCA with flooding rate 30 has the highest
effect on both throughput and end-to-end delay.
(a)
(b)
Figure 4.9 Effect of the attackers radio range and flooding rate on throughput. (a)
varying the radio range of attackers, (b) the average of throughput
78
Figure 4.10 Effect of the attackers radio range and flooding rate on end-to-end delay
4.4.2
Effects Of RCA On Total Energy Consumption For Scenario B
Figures 4.11(a), 4.11(b) and 4.11(c) depict the energy consumption of the legitimate
nodes in transmit, receive and idle modes. The energy consumed in receives mode
increases as the radio range at all flooding rates increases. At a flooding rate of 10
RREQs/s, Figure 4.11(a) illustrates that the energy consumed in receive mode exceeds
100 mjoules at a 400 m radio range. Whereas at a flooding rate of 20 RREQs/s (Figure
4.11(b)), the energy consumed in receive mode exceeds 200 mjoules at a 400 m radio
range. In contrast, at a 30 RREQs/s flooding rate (Figure 4.11(c)), the attackers cause
the legitimate nodes to consume more than 200 mjoule at a radio range of 250 m and
above. This result indicates the success of RCA in suppressing the legitimate nodes,
thereby enabling the receipt of numerous bogus packets.
At all flooding rates (Figures 4.11(a), 4.11(b) and 4.11(c)), the energy
consumed in transmit mode only slightly increases because of the jamming links
created by the RCA attackers. The continuous decrease in the energy consumed in idle
mode is compatible with the continuous increase in the energy consumed in receive
mode. That is, when RCA successfully suppress the legitimate nodes to receive bogus
packets, it consistently prevents the nodes from being silent or idle.
79
The total energy consumed by the legitimate nodes in all modes at varying
flooding rates is shown in Figure 4.12, which compare the energy use at 30 RREQs/s
with that at 20 and 10 RREQs/s flooding rates. Applying a 30 RREQs/s flooding rate
at a 400 m radio range is useless; because using flooding rate at 20 RREQs/s with the
same radio range achieve about the same effect. However, the performance at a 30
RREQs/s flooding rate ranks is higher than that at a 20 RREQs/s flooding rate in all
radio ranges less than 400 m.
(a)
(b)
(c)
Figure 4.11 Effect of the attackers radio range and flooding rate on energy
consumption in each mode. (a) 10 RREQs/s, (b) 20 RREQs/s, (c) 30
RREQs/s
80
(a)
(b)
Figure 4.12 Effect of the attackers radio range and flooding rate on total energy
consumed. (a) varying radio range, (b) the average of total energy
consumed
4.4.3
Effects Of RCA On Routing Overhead For Scenario B
At a 30 RREQs/s flooding rate, AODV is overloaded with numerous retried RREQ

packets initiated by the legitimate nodes (Figure 4.13a). This overload slightly
increases as radio range increases from 250 to 400 m. Applying a 20 RREQs/s
flooding rate achieves about the same effect as applying a 30 RREQs/s flooding rate at
a radio range of 400 m because both flooding rates prevent all the CBRs from being
established at 400 m, as indicated by the experiments.
The high flooding rate and wide attack coverage support the attackers
suppression of high number of legitimate nodes. Consequently, almost all the
legitimate nodes needed for routing can be completely isolated and are therefore
unable to receive control packets from either the source node or destination node.
Figure 4.13b shows that the average effect of using 30 RREQs/s on initiating retried
RREQ packets is higher than that of using 20 RREQs/s. The 30 RREQs/s flooding rate
is most effective in overloading AODV with extra initiated RREP packets (Figures
4.14a and 4.14b), whereas 10 RREQs/s exhibits the worst performance from an attack
perspective. In Figure 4.14a that the 30 and 20 RREQs/s, curves do not converge at a
400 m radio range. The non-convergence is due to the initiation of the RREP packet
81
by destination and intermediate nodes depends primarily on a high flood rate of bogus
RREQs. Whereas expanding radio range increases the number of affected destinations
and intermediate nodes only.
(a)
(b)
Figure 4.13 Effect of the attackers radio range and flooding rate on the retried
RREQs. (a) varying radio range, (b) the average of retried RREQs
(a)
(b)
Figure 4.14 Effect of the attackers radio range and flooding rate on the initiated
RREPs. (a) varying radio range, (b) the average of initiated RREPs
4.5
SUMMARY
The performance of mobile nodes in attacked MANETs depends mainly on the

available bandwidth and battery power, the number of RCA attackers and their
positions and the flooding rate of the attackers combined with the radio range that they
82
can cover. Our simulation results confirm that the effects of the attacks increase as the
number of attackers increases.
In most experimental results, the average effect of the attackers positions in all
scenarios of attacker numbers differs from that observed when the effects of specific
attack positions with respect to a certain number of attackers are considered. For
example, the average effect of near-destination attackers is higher than those of other
attackers positions in terms of decreasing network throughput and overloading
network links with additional retried RREQs. However, the 10 random attackers
achieve greater degradation of node throughput than do the 10 near-destination
attackers. The near-source attackers surpass the attackers in other positions, strongly
increasing end-to-end delay and the RREPs initiated from both the destination and
intermediate nodes. Nevertheless, the near-source attackers exhibit the lowest
efficiency in terms of the amount of energy needed to perform attack.
Clarifying the flooding rates and radio range factors shows that the average
effect of 30 RREQs/s is the highest among almost all the performance metrics, even if
this range is taken solely or with respect to the radio range used. For example, by
using a 30 RREQs/s flooding rate, RCA attackers can decrease throughput to zero
beginning at a 350 m radio range. The same effect can be achieved when using a
flooding rate of 20 RREQs/s only if the attackers use a 400 m radio range. According
to our simulation environment, if the attackers want to strongly affect certain metrics
(such as throughput, end-to-end delay, total energy consumed and retried RREQs),
applying a 350 m radio range in addition to a 30 RREQs/s flooding rate, is sufficient.
Our research, extensively, investigates the effects of flooding-based attacks given that
it considers four different factors that affect various types of network performance
metrics.
83
CHAPTER V
DENDRITIC CELL FUZZY LOGIC ALGORITHM
5.1
INTRODUCTION
The proposed DCFA is mainly based on two computational intelligent theories: danger
theory in artificial immune systems and fuzzy logic theory. The key stages in the life
of DCs in innate immunity and their interactions with T-cells in adaptive immunity are
applied in abstract as shown and explained in Figure 3.1. These main stages are
combined with the functionality of fuzzy logic theory to produce a final intrusion
detection decision regarding the input routing packet. A general description of DCFA
is introduced in this chapter to make the proposed algorithm useful for computer
scientists and researchers. Such description must be applied in the network layer of the
open systems interconnection (OSI) model. The DCFA components and the
interactions between these components are elaborated and illustrated. The interactions
between the DCFA interface component and the outer routing protocol are also clearly
presented. Furthermore, the details of each DCFA component input parameters and
output results are explained.
This chapter also reveals how DCFA applies fuzzy logic theory to obtain an
accurate result of the input antigen context. Although DCFA is proposed in this
research as a general intrusion detection algorithm meant to detect many types of
attacks, this chapter introduces specifications of the input parameters and their
membership functions in the fuzzy logic system to detect RCA.
84
The specification in this portion of the algorithm aims to determine how DCFA
can feasibly apply fuzzy logic theory to detect routing attacks.
5.2
GENERAL DESIGN of DCFA
DCFA is developed to serve as a monitoring point for checking certain routing packet
types such as RREQ, RREP or Hello packets, depending on the type of attack, before
proceeding to packet handling by routing protocol. For example, in the case of RCA
detection, the RREQ packet is mainly utilized by the attacker to flood the network and
degrade its performance. Therefore, any node in the network should verify the
received RREQ before handling the request. Similarly, if a Hello flood attack is
detected, Hello packets should be tested by DCFA before any response is generated by
the routing protocol. DCFA determines the context of the input routing packet, either
if it is normal packet or anomalous. DCFA is an algorithm designed to be applied in
each node of the network to perform local intrusion detection. The aim of this design
is to suppress the attack when it reaches the nearest legitimate node. Also, local
intrusion detection performed by DCFA is feasible for mobile wireless networks, such
as MANET and suitable to its main characteristics.
Figure 5.1 shows the proposed model for DCFA intrusion detection algorithm.
The figure illustrates the main processes of DCFA and the paths of these processes.
Table 5.1 summarizes each component function in DCFA. The DCFA model
represents DCFA Pseudocode of Algorithm 1 and Algorithm 2. It comprises three
main units, namely, security monitor, innate immunity and adaptive immunity. Each
unit comprises a set of components that interact with one another and connect with
certain other components in outer units. Each unit is also responsible for applying a
primary function in the intrusion detection operation. Specifically, security monitor
unit is comprised of an interface unit and a central management point between innate
and adaptive immunity on one side and between both units and the routing protocol on
another side. Innate immunity unit performs PIR (Algorithm 2) and adaptive immunity
85
performs SIR (Algorithm 1). Each unit component with its input(s) and output(s) is
explained to elaborate the main processes of DCFA.
Figure 5.1 DCFA model
86
Table 5.1 DCFA Model Components

DCFA Model Component
Function
Routing Packets Queue
Receives RREQ packets from AODV
Antigens Controller
Controls the units and components in DCFA
Antigens Verifier
Genes Store
Verifies wither the received antigen exists in

MT-Cells or not.
Stores each tested antigen and its related signals
DCs Collection Stage
Collects the received antigen to be processed
DCs Processing Stage

NT-Cells
Applies fuzzy logic theory on the antigens

related signals
Receives the antigens context from DC
MT-Cells
Stores the malignant antigens profiles
ST-Cells
Suppress fighting benign antigen
The security monitor contains three main components: routing packet queue,
antigens controller and antigens verifier. Routing packet queue performs three main
processes: receive input packets from the routing protocol, store the input packets in a
first-in-first-out manner and send a packet from the front of the queue to be handled by
the antigen controller when requested. DCFA is developed to receive different routing
packets from different source nodes and to recognize which of these nodes are
attacker(s). For the first glance, it seems difficult to detect attacker identity from a
stream of fusible information represented in packets of different IP source addresses
and different behaviors of each packet.
This is because if a group of anomalous and normal packets arrives at the
legitimate nodes queue at the same period of detection time, in this case, the intrusion
87
detection system may wrongly associate the behavior of anomalous packets to one or
more normal packets and/or vice versa.
Input: Input packets and its correlated effects
Output: antigen with context
while routing packets queue != NULL do

extract antigen;
if antigen is found in TGList, then
extract antigens index;
verify input antigen;
if antigen is found in MTList & MTList antigen counter >= threshold
then
antigen context is 1;
increment memory T-cells antigen counter ;
return context to antigens controller;
else
compute signals;
store signals;
call PIR; // Algorithm 2
end
else
compute signals;
initialize GList;
append GList;
call PIR; // Algorithm 2
end
end
Algorithm 1. Security monitor and SIR Pseudocode
This wrong association between input packets and packet behaviors leads to
the erroneous detection of several normal packets as anomalous and vice versa,
thereby producing high false positive and/or false negative detection rates that degrade
the accuracy and performance of the intrusion detection algorithm. Focusing on the
association operation in any intrusion detection algorithm leads to accurate input
information on the entity. The antigens controller serves as the control center of
88
DCFA. It controls the receipt and delivery of inputs and outputs from the DCFA and
to the routing protocol, respectively. It also controls the units that should be activated
to detect a certain input packets antigen.
In deep, when the antigens controller receives an input packet from the routing
packet queue, it immediately extracts an antigen from that packet. Each extracted
antigen represents the packets unique source IP address. Afterward, the antigen
controller checks whether the antigen is available in the total genes list (TGList).
TGList is a list of different genes in the genes store component. As depicted in Figure
5.2, each gene is represented in a sub-list from the TGList and defined as GList. Each
GList comprises one antigen (a i ) and a number of related signals (s j ). The number of
antigens in TGList equals I and the number of signals per GList equals J. The number
of antigens in TGList always equals the number of correlated genes in the same list
(i.e., a 0 = Gene 0 ). However, the signals in each gene are computed from a number of
effects generated from the antigens packet. This environment reflects that of the
human body tissue in which DCs navigate to collect the antigens and signals for
detection operation.
Figure 5.2 TGList in genes store

If an antigen is found in TGList, the antigens controller then follows SIR by
sending the input antigen to the antigens verifier. Otherwise, it creates a new gene list
for that antigen and its correlated signals, initializes the signals values with zeroes and
goes through the PIR pathway. The antigens verifier verifies whether the input antigen
was previously regarded as malignant in the MT-cells list (MTList). As shown in
Figure 5.3, MTList contains a set of malignant antigens profiles. N represents the
89
total number of malignant antigens and profiles in MTList. Each profile contains a
malignant antigen and its correlated existence counter: malignant antigen counter
(mac). This counter computes how many times the antigen is detected and seen in the
DCFA as malignant. If the antigens verifier finds an antigen correlated counter greater
than a certain threshold (t) in MTList, then the input antigen will be considered
malignant and will be represented by a context equal to 1.
Consequently, the correlated routing packet will be considered an anomalous
packet. The routing protocol then drops the packet and does not respond to its source
node. Otherwise, PIR should be followed to activate anomaly detection by DCs for the
input antigen. The previous discussion indicates that PIR is activated only in two
cases. The first case is when the input antigen is not found in the MT-cells. The second
case is when the input antigen is found, but its existence counter is less than a certain
threshold.
Figure 5.3 MTList in MT-cells

Threshold t value in MTList is very critical and difficult to be determined
because if mac exceeds t, the tested input antigen will be considered malignant each
time it appears in DCFA. Although the use of TM-cells can speed up the response, the
usage should be carefully designed. The time required to reach t provides PIR the
opportunity to detect the input antigen many times before confirming if it is malignant
or not.
Therefore, t value is carefully tested in Chapter VI. Before calling PIR in
Algorithm 2, the antigens controller computes the signals correlated with the input
antigen and sends the created gene to the genes store. A population of DCs in DC
90
collection stage is notified to collect the newly formulated gene. Fuzzy logic theory is
then applied by DC to process the input signals in the collected gene list. The output of
the fuzzy system is provided in a crisp value. If this value exceeds a certain fuzzy
threshold, then the antigen is malignant and its context is equal to 1; otherwise, the
antigen is considered benign and its context is 0.
In DCFA, if the antigen's context is 0, this causes the immature DC to be
differentiated to semi-mature DC. However, if the context of the antigen is 1, then the
DC will differentiate to mature DC. In both cases, after maturation, the DC should
migrate immediately to the lymph node in adaptive immunity to control the immunity
response of NT-cell from the NT-Cells component. In the first case, DC will stimulate
the NT-cell to differentiate to ST-cell; this differentiation is translated in DCFA by
notifying ST-Cells to check whether a benign antigen exists in MT-Cells and
decrement the mac if so.
The NT-cell differentiates to MT-cell in MT-Cells component in the second
case; this differentiation is reflected by initializing a new profile for the antigen and its
mac if the antigen is seen for the first time or by incrementing mac if it is seen more
than once. In both cases, the stimulated NT-cell returns the antigens context to the
antigens controller in the security monitor unit. Consequently, antigens controller
returns the results (either 1 or 0) to the routing protocol intended to be secured by
DCFA. A result of 1 should be understood by the routing protocol as the existence of
an attack caused by the antigens packet and vice versa if the result is 0.
91
Input: Input antigen and correlated signals

Output: antigen with context
initialize DC;
call fuzzy logic system;
if fuzzy output > fuzzy threshold, then
if antigen is not found in MTList
add antigen to MTList;
create antigen counter;
antigen counter equals 1;
else
increment antigens counter;
end
else
if antigen is found in MTList
decrement antigen counter
end
end
Algorithm 2. PIR Pseudocode
5.3
DCFA PARTICULARS
This section introduces a microscopic reveal on how DCFA should be implemented.

Data structures, indices and parameters are discussed in this section. The floodingbased attack behaviors considered in the computation of the input signals of the fuzzy
logic system and the specifications of fuzzy logic theory implementation (e.g., applied
fuzzy rules, input sets and input membership functions) are also analyzed. The
specifications presented in this section are simulated in Chapter VI.
5.3.1
DCFA specifications
DCFA is represented in Algorithm 3 and Algorithm 4 using the following parameters,

DCFA components, variables, indices and the related data structure in Table 5.1.
92
Input: P and E
Output: c(a i )
while RPQ != NULL do
update P, E;
foundTGList = foundMTList = false;
initialize parameters {I, J, N};
extract a i ;
while i <= I do
search a i in TGList;
if foundTGList = true, then
while n <= N do
search a i in MTList;
if foundMTList = true, then
if mac n >= t, then
c(a i ) = 1;
mac n ++;
return c(a i ) to AC;
else
while j < J do
s ij = o ij (e j );
store s ij ; // overwrite the old value in GList iJ
j++;
end
c(a i ) = PIR;
end
else
n = n +1;
end
end
else
i = i + j + 1;
end
end
if foundTGList = false, then
initialize GList iJ ;
while j <= J do
s ij = o ij (e j );
store s ij ; // overwrite the old value in GList iJ
j++;
end
append GList iJ ;
c(a i ) = PIR;
end
end
Algorithm 3.Security monitor and SIR Pseudocode using new terms
93
Input: a i and computed S i

Output: c(a i )
initialize DC iJ ;
if FLS(S i ) > t f , then
c(a i ) = 1;
while n <= N do
search a i in MTList
mac n ++;
break;
end
n = n + 1;
end
if foundMTList = false, then
initialize MAPList n ;
insert MAPList n in MTList;
mac n ++;
end
else
c(a i ) = 0;
while n <= N do
search a i in MTList
mac n --;
break;
end
n = n + 1;
end
kill DC iJ ;
return c(a i ) to SIR;
end
Algorithm 4. PIR Pseudocode using new terms

Parameters and Components:
I: the number of four entities, which are input antigens, input sets signals (S i ), number
of indices given to activated DCs, genes and GLists.
J: the number of two entities, which are packets effects and input signals per GList.
N: the number of malignant antigens, malignant antigen counters and malignant
antigen profiles in MT-cells list.
RPQ: Routing Packets Queue.
AC: Antigens Controller.
94
Indices:
i = 0, , I the index of antigens, input sets signals (S i ), DCs, genes and GLists.
j = 0, , J the index of packets effects and input signals per GList.
n = 0, , N the index of malignant antigens, malignant antigen counters and
malignant antigen profiles in MT-cells list.
Table 5.2 DCFA data structure
Data Structure
Description
and Parameters
Memory T-cells list; list of malignant antigen profiles MT-cells as
MTList
pictured in Figure 5.3.
Malignant antigen profile list; the sub-list of MTList that represents
MAPList n
profile n .
mac n
Malignant antigens counter in MAPList n .
foundMTList Found in MTList.
t
The threshold of antigen existence in MTList.
TGList
Total genes list.
foundTGList Found in TGList.
P
Input packet.
ej
Input packets effect number j.
E
Set of packets effects, E= {e j , e (j+1) ,. , e J }.
ai
Input antigen i.
A
Set of extracted input antigens, {a i , a i+1 ,. ,a I}.
c(a i )
Context of a i .
s ij
Computed input signal j correlated with a i .
Set of a i computed input signals, {s ij , s i(j+1) ,. , s iJ }; TGList in this case
Si
is graphically shown in Figure 5.4.
o ij (e j )
Output of e j equals s ij .
g iJ
A gene that contains antigen a i and J signals.
G
Set of genes, {g iJ , g (i+1)J ,. , g IJ }.
GList iJ
A sub-list that represents g iJ in TGList.
DC iJ
A dendritic cell that samples g iJ .
FLS(S i )
Fuzzy logic system output of input S i .
tf
Fuzzy threshold.
The same indexing value i should be assigned to a i , S i , g iJ , DC iJ and GList iJ .
This association allows DCFA to prepare correct information on each antigen behavior
for correct intrusion detection judgment. The same explanation applies to the use of j
and n to index certain correlated entities for the achievement of accurate results.
95
Figure 5.4 New pictured TGList

The first effect considered in this research is the rate of the input packet, which
is computed from the number of times an input packet is delivered per unit of time.
Considering that the high rate of receiving a certain packet indicates the existence of a
flooding attack, this effect represents a PAMP signal. Conversely, the low rate of
receiving a certain packet effect represents a safe signal. The existence of a flooding
attack is considered a danger signal as indicated by the number of connections breaks
between a node and its neighbors.
5.3.2
Fuzzy Logic System Component
This section clarifies how fuzzy logic theory is applied in Chapter VI to detect
flooding-based attacks. As depicted abstractly in Figure 5.5, S i represents a complete
crisp input in the fuzzy logic system. FLS(S i ) represents the output signal of
processing input set signals S i and t f determines the type of output signal from
FLS(S i ). Particularly, if FLS(S i ) is greater than t f , then FLS(S i ) stands for IL-12
signal. This signal indicates the maturation of DC iJ to mature DC. Otherwise, FLS(S i )
represents IL-10 signal, which points to producing semi-mature DC.
Input signals
Fuzzification
(Si)
Fuzzy Inference
Fuzzy
Rules
Output signal
Defuzzification
Figure 5.5 FLS applied by each DC
(FLS(Si))
96
The details of applying the fuzzy logic system components in Figure 5.5 are
illustrated below.
I.
Fuzzification Stage
The capability of DCFA to detect RCA as an example of a flooding-based attack that

floods faked RREQ packets is investigated in Chapter VI. E in Table 5.3 comprises
two elements: e 1 , which represents RREQ rate and produces s 1 and e 2 , which
represents the number of times the nodes connections breaks and produces s 2 .
Therefore, j equals 2 in this research's simulation for DCFA. This means that the
fuzzification stage involves two input variables. The first variable, s 1 , comprises three
fuzzy input sets: safe, low-PAMP and high-PAMP, which are represented by z-shaped,
triangular-shaped and s-shaped input membership functions, respectively. Table 5.1
and Figure 5.6 show the assignment of range and degree of membership functions for
input variable s 1 . As noticed, s 1 may have a membership function degree from safe,
low-PAMP and high-PAMP, two of these, or one of these only. The range for each
membership function has been chosen according to the strength of each signal type.
Also, it is chosen according to monitoring a various numbers of runs for each
experiment and choosing the run with the best results.
Table 5.3 Fuzzy sets of input variable s 1
s 1 parameters
Fuzzy sets
safe
[0, 1]
[0, 3, 7]
low-PAMP
high-PAMP
[3, 6]
97
Figure 5.6 Membership functions of input variable s 1

The explicit formulas for s 1 membership functions are given as in the
following:
safe (x; 0, 1) =
1,
1 2(x)2 ,
2(1 x)2 ,
0,
<0
1
2
1
<1
2
>1
x
03
,
3
low PAMP (x; 0, 3, 7) = 7 x
3<x7
4 ,
0,
1,
>6
2
x
9
2 6 ,
3x
3
2
high PAMP (x; 3, 6) =
2
x3
9
1 2
,
<6
3
2
0,
<3
(5.1)
(5.2)
(5.3)
The second variable, s 2 , comprises two fuzzy input sets: low-danger and high-
danger, which are represented by z-shaped and s-shaped input membership functions,
respectively. The specifications of the z-shaped and s-shaped functions are shown in
98
Formulas 5.4 and 5.5, respectively. Table 5.4 and Figure 5.7 show the assignment of
range and degree of membership functions for input variable s 2 . Similar to s 1 , s 2 may
have a membership function degree from low-danger and high-danger or one of them
only.
Table 5.4 Fuzzy sets of input variable s 2
s 1 parameters
Fuzzy sets
[0, 5]
low-danger
[1, 6]
high-danger
Figure 5.7 Membership functions of input variable s 2

1,
x 2
1 2 ,
5
low danger (x; 0, 5) =
2
x
2 ,
0,
<0
5
2
(5.4)
5
<5
2
>5
1,
>6
2
x
7
2 6 ,
1x
5
2
high danger (x; 1, 6) =
2
x1
7
1 2
,
<6
5
2
0,
<1
(5.5)
99
II.
Defuzzification Stage
The fuzzy sets for the FLS(S i ) output variable are IL-10 and IL-12. Table 5.5 and
Figure 5.8 show the assignment of range and membership functions for output FLS(S i )
variable, respectively. As depicted from Figure 5.8, t f equals 6, which represents the
midpoint of the overlapped area between IL-10 and IL-12 output membership
functions. Based on Algorithms 2 and 4, if FLS(S i ) equals 4, this implies that the
output signal is IL-10. However, if FLS(S i ) equals 6.6, this implies that the output
signal is IL-12. However, this result is concluded only after the aggregation function
of the produced output sets has been performed.
Table 5.5 Fuzzy sets of FLS(S i ) output variable
FLS(S i ) parameters
Fuzzy sets
[0, 4, 7]
IL-10
[5, 8, 12]
IL-12
Formulas 5.6 and 5.7 represent membership functions for IL-10 and IL-12 output
fuzzy sets, respectively.
x
04
,
4
IL 10 (x; 0, 4, 7) = 7 x
4<7
3 ,
0,
x5
,
3
IL 12 (x; 5, 8, 12) = 12 x
,
0,
(5.6)
58
8 < 12
(5.7)
100
Figure 5.8 Output membership functions for output signal FLS(S i )

Fuzzy inference stage produces a set of output membership functions, which
are then aggregated through Mamdani's method to produce an aggregation function.
The centroid equation is then applied to calculate the final crisp value FLS(S i ) for
comparison with t f to determine whether the value of FLS(S i ) represents an IL-10 or
IL-12 output signal.
III.
Fuzzy Inference and Aggregation
The main function of the fuzzy inference stage is to map the input fuzzy sets of s 1
(safe, low-PAMP and high-PAMP) and s 2 (low-danger and high-danger) to output
fuzzy sets (IL-10 and IL-12). Mapping is performed with six fuzzy rules and
Mamdani's (maxmin) inference method. The following fuzzy rules are established
based on the strength of the input signals (safe, PAMP and danger signals).
RULE 1: IF (s 1 is safe) and (s 2 is low-danger), THEN (FLS(S i ) is IL-10).
RULE 2: IF (s 1 is safe) and (s 2 is high-danger), THEN (FLS(S i ) is IL-10).
RULE 3: IF (s 1 is low-PAMP) and (s 2 is low-danger), THEN (FLS(S i ) is IL-10).
RULE 4: IF (s 1 is low-PAMP) and (s 2 is high-danger), THEN (FLS(S i ) is IL-12).
RULE 5: IF (s 1 is high-PAMP) and (s 2 is low-danger), THEN (FLS(S i ) is IL-12).
RULE 6: IF (s 1 is high-PAMP) and (s 2 is high-danger), THEN (FLS(S i ) is IL-12).
101
The number of triggered rules depends mainly on the crisp values of input
signals s 1 and s 2 . The inference produced from f rules generates f output membership
functions.
5.4
A WORKED EXAMPLE
This worked example shows a sample calculation for processing only one input
antigen a i for the purpose of simplification and clarification. Figure 5.9 shows a
complete example of the application of fuzzy logic theory in this example. Assuming
that MTList and TGList are empty the other elements are as follows:
I = 1: one input antigen, set of signals, activated DC, gene and GList are processed;
therefore i = 0.
A = {a 0 }.
J = 2: two RREQ packet effects and two signals per GList are considered; therefore j =
1.
N: its value depends on the resultant context of the input antigen.
t = 5: in this example it is negligible since MTList is empty.
E = {e 0 , e 1 }; the set of considered RREQ packet effects.
e 0 is RREQ flooding rate.
e 1 is the number of times the connections breaks.
S 0 = { s 00, s 01 }.
102
s 0 = o 00 (e 0 ) = 4; Given that s 0 = 4 has a membership value from low-PAMP and highPAMP which are calculated as in Table 5.1 and sketched as in Figure 5.6, s 0 triggers
rules 3, 4, 5 and 6.
s 1 = o 01 (e 1 ) = 2; s 1 has a membership value in two input membership functions: lowdanger and high-danger. The two sets are calculated according to the values in Tables
5.2 and 5.3 and depicted in Figures 5.6 and 5.7. The six rules are triggered by s 1 .
G = {g 02 }.
t f = 6: fuzzy threshold.
Only four rules produce four output membership functions. As shown in Figure
5.9, the membership function of the input variables with lower membership value is
considered in Mamdani's method to produce the corresponding output membership
function. However, the output membership functions are aggregated with max
membership values in Mamdani's method during aggregation. Finally, the centroid
equation is employed to calculate ultimate crisp value FLS(S 0 ) represented by a red
line in the aggregate function. In this example, FLS(S 0 ) = 5.05 which is less than t f =6,
which means that the related antigen is benign and its packet is normal.
103
Figure 5.9 Graphical illustration of the fuzzy system stages
5.5
SUMMARY
DCFA was described in two ways in this chapter. Firstly, a generic explanation of the
DCFA model components and their interaction with one another were introduced.
Secondly, the implementation details of the DCFA data structures and parameters as
well as the details of the applied fuzzy system were also carefully explained.
The generality of the DCFA model design opens the door for researchers to
apply its functions to detect different types of attacks, even those implemented over
different types of networks. Moreover, the clear description of the DCFA processes
applied in each component serves as a blueprint for the simulation and implementation
of an intrusion detection system. The interaction capability between DCFA and the
outer routing protocol indicates that DCFA can be plugged into any routing protocol to
make it robust and secure.
104
Although fuzzy logic is mainly used to process antigens and signals in each
DC, DCFA is more danger theory-based artificial immune system (AIS) dependent.
Firstly, the way of receiving and collecting antigens and each antigen related signals is
performed by AIS. Secondly, the strength and weaknesses of each antigens related
signals (PAMP, danger inflammation and safe signals) are determined according to
concepts and principles in human immune system (HIS). Thirdly, the way of
activation of both primary immune response (PIR) pathway and secondary immune
response (SIR) pathway is done according to AIS concepts inspired from HIS.
However, fuzzy logic theory is only applied to process the information fusion of
receiving multiple antigens and signals by DCs and to assist concluding accurate
results for antigens context. Finally, fuzzy logic is only applied when PIR pathway is
activated otherwise SIR pathway does not use it when Memory T-cells are activated.
Based on that, the proposed DCFA has a low percentage of scope sharing with the
previously proposed pure fuzzy logic-based IDS in the literature. Also, most of the
proposed IDS in the previous works use fuzzy logic theory as assistant system with
another intelligent system such as neural networks, genetic algorithms, swarm
computing and data mining. Therefore, in our research we use fuzzy logic as a
secondary system with AIS in a hybrid intelligent system.
105
CHAPTER VI
VERIFCATION OF DENDRETIC CELL FUZZY LOGIC ALGORITHM
6.1
INTRODUCTION
The verification performed in this chapter aims to demonstrate the feasibility of DCFA
to detect a flooding-based attack, namely, RCA over MANET. The simulation
scenarios are designed to prove not only the detection capability of DCFA but also its
ability to achieve high performance in both security and network metrics.
Five security metrics, namely, false positive, true negative, false negative, true
positive and accuracy rates, are examined in this chapter. Nine network performance
metrics operating in DCFA are also investigated. These metrics are throughput, endto-end delay, total energy consumed, energy consumed in transmit mode, energy
consumed in receive mode, energy consumed in idle mode, number of RREQs retried,
number of initiated RREPs.
6.2
EXPERIMENTAL SETTINGS
Security and network performance metrics are examined in two main scenarios:
scenario C and scenario D. The scenarios share the following experimental settings:
they implement the simulation over 30 legitimate nodes with radio range of 250 m and
60 s simulation time. The attackers in these scenarios are located randomly and
initialize their intrusion from the first second of the simulation time until the last.
106
Two CBRs are placed under the effect of RCA: CBR-1 and CBR-2. Each CBR
has a separate source and destination nodes. Hence, there are two source nodes and
two destination nodes. CBR-1 begins the connection from the first second of the
simulation time. However, CBR-2 begins its connection at time 30 s of the simulation.
The two CBRs end at 60 s. The other fixed simulation parameters are listed in Table
3.5.
The security performance metrics are examined with two versions of DCFA,
namely, DCFA1 and DCFA5. A comparison is made between the two versions in
terms of the effect of RCA. The network performance metrics of DCFA1, DCFA5 and
AODV are compared. The main difference between DCFA1 and DCFA5 is the value
of threshold t. In DCFA1, t equals 1; in DCFA5, t equals 5. The effect of t value is
elaborated in this chapter for two reasons. Firstly, t represents the critical point which
directs DCFA to an appropriate path (PIR and SIR) to make a decision on the context
of the input antigen.
Secondly, when mac n exceeds t, a n is considered always malignant. The
importance of t value lies in giving the input antigen a number of opportunities to be
tested by PIR. After exceeding a certain number of tests, a confirmation for the input
antigen context is considered each time it is faced by DCFA. This occurrence means
that if the value of t is too small, the input antigen will be given only one opportunity
to be tested by PIR. Consequently, if PIR concludes a wrong judgment for the input
antigens, this will lead to high false positive rates in the intrusion detection results.
Conversely, if the value of t is too large, the input antigen will be given more
than enough time to be tested by PIR; however, this renders the use of SIR in DCFA
insignificant to avoid the time spent by the same antigen reception on PIR. For that
reason, t value should be carefully selected based on the results obtained from
numerous experimental tests. In the following sections, the security performance
metrics are tested in both DCFA1 and DCFA5 to reveal the importance of t value. The
107
value 5 is selected after conducting a number of experiments that tested different t

values (1, 2, 3, 4, 5, 6, 7, 9, 10, 15, 17 and 20). Values greater than 5 exhibited similar
security performance but lower network performance. However, the values less than 5
exhibited lower security and network performance.
6.3
EXPERIMENTAL RESULTS FOR SCENARIO C
In scenario C, performance metrics are measured by varying the number of attackers

(2, 4, 6, 8 and 10). All attackers are distributed randomly among legitimate nodes with
radio range of 250 m. Each attacker floods 10 RREQs/s in all the experiments in this
scenario.
6.3.1
Evaluation of Security Performance for Scenario C
Figures 6.1(a) and 6.2(a) show the effect of varying the number of attackers on the
false positive and true negative rates, respectively, for DCFA1 and DCFA5. As the
number of attackers increases, the false positive rate decreases for both versions of
DCFA (Figure 6.1(a)). Conversely, as the number of attackers increases, the true
negative rate increases for both versions of DCFA (Figure 6.2(a)).
Figure 6.1 Effect of the number of attackers on false positive rate. (a) varying the
number of attackers, (b) the average of false positive rate
108
Figure 6.2 Effect of the number of attackers on true negative rate. (a) varying the
number of attackers, (b) the average of true negative rate
This result is attributed to the high number of legitimate nodes that trigger
RULE 4 in the received RREQs from legitimate source nodes when the number of
attackers is small. In details, when the number of applied attackers is small (e.g., 2),
flooding by the attackers causes high numbers of connections breaks, thereby
activating high-danger input membership function in the fuzzy system of DCFA in
each legitimate node (especially the nearby nodes). The numerous connections breaks
caused by RCA causes the source nodes to retry broadcasting RREQs toward the
destination nodes for two reasons. Firstly, the occurrence of numerous connections
breaks may prevent the destination nodes from receiving RREQ packets from the
source nodes. Secondly, numerous connections breaks may prevent the source nodes
from receiving RREPs from the destination nodes.
This situation causes the source nodes to continuously retry broadcasting
RREQ packets, which could result in, according to the AODV protocol setting
(Perkins & Royer 1999), an RREQ broadcast rate of 4 RREQ/s in the worst case.
Consequently, low-PAMP membership function is activated which leads to consider
the input antigen context as malignant and its related DC as mature. This conclusion
for DC will cause DCFA to wrongly consider the related RREQ as a packet from an
109
attacker. The same explanation can be obtained from Figure 6.2(a); the case presents a
low true negative rate (a complement of false positive) when the number of attackers
is small. The decrease and increase in false positive and true negative rates when the
number of attackers increases is due to the high competence of attackers on the links
of legitimate nodes. The highly flooded faked RREQs compete strongly with the
retried RREQs broadcasted by legitimate source nodes when the number of attackers
increases. This will prevent the normal retried RREQs from reaching a high number of
legitimate nodes, which leads to a decrease in the resultant high false positive and low
true negative rates generated from their processing by RULE 4 in legitimate nodes
DCFAs.
DCFA5 continues to exhibit lower false positive and higher true negative rates
in almost all cases with various numbers of attackers. Figures 6.1(a) and 6.2(a)
indicate that high false positive and low true negative rates are recorded when the
number of attackers is 2. Under the effect of 2 attackers in Figures 6.1(a) and 6.2(a),
DCFA5 outperforms DCFA1 by 72% and 13%, respectively. Figures 6.1(b) and 6.2(b)
show the average of false positive and true negative rates, respectively, under the
effect of different numbers of attackers (2, 4, 6, 8 and 10). In the two figures, DCFA5
scores higher security performance than DCFA1. DCFA5 outperforms DCFA1 in
Figures 6.1(b) and 6.2(b) by 65% and 5%, respectively.
In Figure 6.3(a), the false negative rate for both DCFA5 and DCFA1 decreases
as the number of attackers increases. Conversely, in Figure 6.4(a), the true positive
rate (complement of false negative) for both DCFA versions increases as the number
of attackers increases. A false negative problem is generated by the legitimate nodes
located far from the location of attackers and receiving faked RREQs at a low rate. In
this case, a legitimate node may receive bogus RREQs at a rate of 1 RREQ/s, 2
RREQs/s, or 3 RREQs/s depending on the distance between the location of the
affected legitimate node and the location of the attackers in the network. If the distance
between a legitimate node and an attacker is large, faked RREQs will be received by
the legitimate node at a low rate.
110
Figure 6.3 Effect of the number of attackers on false negative rate. (a) varying the
number of attackers, (b) the average of false negative rate
Figure 6.4 Effect of the number of attackers on true positive rate. (a) varying the
number of attackers, (b) the average of true positive rate
Two scenarios may occur at this point. Firstly, a legitimate node may receive
faked RREQs at a rate of 1 RREQ/s and is not affected by the flooding caused by the
attackers owing to the large distance between them. In this scenario, a legitimate node
may receive forged RREQs at a rate of 2 RREQ/s or 3 RREQs/s. Considering that the
111
node is far from the flooding area, it will not suffer from numerous connections
breaks. Therefore, the legitimate node will trigger RULE 3 in this scenario and the
faked RREQ will be wrongly considered normal. When the number of attackers
increases, the network area affected by their flooding widens. Consequently, the
number of connections breaks will affect more legitimate nodes, especially those
which are nearer to the attackers locations. Therefore, the number of legitimate nodes
that apply RULE 3 will be reduced. This explains the inverse and positive
relationships between false negative and true positive rates, respectively and the
number of applied attackers in the results. DCFA5 clearly outperforms DCFA1 under
the effect of all numbers of attackers as shown in Figures 6.3(a), 6.3(a), 6.4(b) and
6.4(b). In Figures 6.3(a) and 6.4(a), DCFA5 outperforms DCFA1 by 44% and 0.8%,
respectively, under the effect of 2 attackers. DCFA5 outperforms DCFA1 by 43% and
0.4% in Figures 6.3(b) and 6.4(b), respectively, on the average.
As exhibited by the percentages of the differences between DCFA5 and
DCFA1 results, DCFA5 outperforms DCFA1 with high percentages in lower false
positive and false negative rates. DCFA5 also outperforms DCFA1 with low
percentages in higher true negative and true positive rates. This result is expected
because false positive and false negative rates are complements of true negative and
true positive rates, respectively.
The resulting accuracy rates of the four security performance metrics are
shown in Figure 6.5. It is apparent that as the number of attackers increases, the
accuracy, true positive and true negative rates increase. Whilst, the increase in the
number of attackers decreases both false positive and false negative rates because
increasing the number of attackers means increasing the flooding rate and the area of
network covered by the flooding, thereby assisting the legitimate nodes to prepare
correct information on the attackers behaviors and to make a correct decision for that
attacker. Figures 6.1, 6.2, 6.3, 6.4 and 6.5 indicate that the security performance of
112
DCFA5 is better than that of DCFA1 under the effect of different numbers of
attackers.
Figure 6.5 Effect of the number of attackers on accuracy rate. (a) varying the number
of attackers, (b) the average of accuracy rate
6.3.2
Evaluation of Network Performance for Scenario C
Figure 6.6(a) presents a comparison of the throughputs of DCFA5, DCFA1 and

AODV under the effect of different numbers of RCA attackers. It is apparent from the
figure that the throughput of DCFA5 strongly, outperforms the throughput of both
DCFA1 and AODV under the effect of all numbers of attackers. Whilst, the
throughput of DCFA1 and AODV are dramatically affected when the number of
attackers is increased. The throughput of DCFA5 only degrades by 6% under the
effect of 10 attackers compared with its throughput in the normal case (zero attackers).
On the contrary, about 95% and 85% of the DCFA1 and AODV throughputs,
respectively, are reduced under the effect of 10 attackers compared with their
throughputs in the normal case. Looking at Figure 6.6(a) from another angle, in the
worst case, the throughput of DCFA5 outperforms the throughput of DCFA1 and
AODV by 94% and 83%, respectively, when the number of attackers is 10.
113
Unlike DCFA1 and AODV, DCFA5 exhibits high resistance against the
increase in the number of attackers. The low false positive and false negative rates of
DCFA5 make it robust under the effect of high number of attackers. However, the
high false positive and false negative rates of DCFA1 make its throughput degradation
worse than that of AODV because the high false positive rate of DCFA1 suppresses
communication among normal nodes. The false negative rate of DCFA1 also presents
another obstacle in terms of initiating a route between the legal source and destination
nodes. Figure 6.6(b) confirms that DCFA5 outperforms DCFA1 and AODV. Each
column represents the average throughput under the effect of different numbers of
attackers.
(a)
(b)
Figure 6.6 Effect of the number of attackers on throughput. (a) varying the number of
attackers, (b) the average of throughput
Figure 6.7 depicts the effect of varying the number of attackers on the end-toend delay of DCFA5, DCFA1 and AODV. Obviously, DCFA5 exhibits the lowest
end-to-end delay under the effect of different numbers of attackers. However, DCFA1
exhibits the highest end-to-end delay under the effect of all numbers of attackers. The
difference between the increase in end-to-end delay for DCFA5 and that for DCFA1
under the effect of 10 attackers is approximately 88%, whereas that between DCFA5
and AODV is approximately 78.5%. Also, under the effect of 10 attackers (worst
case), DCFA5, DCFA1 and AODV exhibit an increase in end-to-end delay by 40%,
114
91% and 89.4%, respectively, compared with the normal case for each protocol.
Additionally, Figure 6.7(a) shows that the increase in end-to-end delay in DCFA1 is
larger than that in AODV under the effect of various numbers of attackers. This result
can be attributed to the high false positive rate of DCFA1. Figure 6.7(b) shows the
average end-to-end delay under the effect of all numbers of attackers for each
protocol. This figure confirms that DCFA5 outperforms DCFA1 and AODV.
(a)
(b)
Figure 6.7 Effect of the number of attackers on end-to-end delay. (a) varying the
number of attackers, (b) the average of end-to-end delay
Figure 6.8 confirms that DCFA achieved its main goal, which is to
significantly decrease the energy consumed by legitimate nodes when utilized by RCA
to rebroadcast faked RREQs. The results reveal the difference between the energy
consumed in transmit mode by legitimate nodes in AODV and the energy consumed in
transmit mode in both DCFA1 and DCFA5. Figure 6.8(a) indicates that in the worst
case (under the effect of 10 attackers), the energy consumed in transmit mode when
DCFA5 is applied decreases by 97% compared with the energy consumed when
AODV alone is applied. Moreover, the energy consumed in transmit mode when
DCFA1 is applied decreases by 98.8% compared with the energy consumed when
AODV is applied. Figure 6.8(b) shows the average energy consumed in transmit mode
for each protocol under different numbers of attackers. The average energy consumed
in transmit mode when DCFA5 and DCFA1 are applied decreases by 95% and 98%,
115
respectively, compared with the average energy consumed in transmit mode when
AODV alone is applied.
(a)
(b)
Figure 6.8 Effect of the number of attackers on energy consumed in transmit mode.
(a) varying the number of attackers, (b) the average of energy consumed in
transmit mode
Similar to the manner DCFA protects transmitter legitimate nodes from
consuming their own energy in transmitting faked RREQs; DCFA also protects
receiver legitimate nodes from wasting energy in receiving spurious packets. Figure
6.9 approve this idea. In Figure 6.9(a), the energy consumed in receive mode in
DCFA5 and DCFA1 is approximately 90% and 91% lower than the energy consumed
by AODV, respectively, under the effect of 10 attackers. From another point of view,
the average energy consumed in receive mode in DCFA5 and DCFA1 is 89.8% and
91.3% lower than that in AODV, respectively, as shown in Figure 6.9(b).
116
(a)
(b)
Figure 6.9 Effect of the number of attackers on energy consumed in receive mode. (a)
varying the number of attackers, (b) the average of energy consumed in
receive mode
Consistently, Figure 6.10 shows that DCFA is successful in keeping a high
number of legitimate nodes idle unlike the case of leaving AODV flooded by RCA
without protection. The energy consumed by the idle legitimate nodes when DCFA5
and DCFA1 are applied under the effect of 10 attackers is approximately 22% and
22.3% less than that consumed by idle legitimate nodes that apply AODV alone,
respectively (Figure 6.10(a)). Figure 6.10(b) also shows that DCFA5 and DCFA1
outperform AODV by 13.23% and 13.45%, respectively, in terms of the average
energy consumed by idle nodes under the effect of various numbers of attackers.
(a)
(b)
Figure 6.10 Effect of the number of attackers on energy consumed in idle mode. (a)
varying the number of attackers, (b) the average of energy consumed in
idle mode
117
The total energy consumed by legitimate nodes in Figures 6.11(a) and 6.11(b)
are calculated using Equation 3.5. The results are consistent with the results in Figures
6.8, 6.9 and 6.10. DCFA1 and DCA5 outperforming AODV is also observed in terms
of the total energy consumed under the effect of having various numbers of attackers.
By applying DCFA5 and DCFA1, legitimate nodes only need to increase their total
energy consumed by 5.4% and 3.5%, respectively, to resist the effect of 10 attackers.
However, with 10 attackers and by using AODV alone, legitimate nodes will be
obliged to increase their energy consumption by 52% compared with the normal case.
DCFA5 and DCFA1 maintain approximately 50% and 51% of legitimate nodes
energy compared with the energy consumed when AODV alone is applied under the
effect of 10 attackers (Figure 6.11(a)). The difference between the average total energy
consumed in DCFA5 and DCFA1 protocols and the energy consumed in AODV
protocol is 39.5% and 38.8%, respectively (Figure 6.11(b)). However, the
consumption of less energy by DCFA1 compared with DCFA5 is not advantageous
because the difference is attributed to the excessive suppression of DCFA1 for both
legitimate and attacker nodes.
(a)
(b)
Figure 6.11 Effect of the number of attackers on total energy consumed. (a) varying
the number of attackers, (b) the average of total energy consumed
Figures 6.12(a) and 6.12(b) reveal that the difference in the number of retried
RREQs in DCFA1, DCFA5 and AODV is not too large. As the number of attackers
increases in the three protocols, the number of retried RREQs also increases. However,
DCFA5 continues to outperform DCFA1 and AODV by exhibiting the lowest number
118
of retried RREQs. Under the effect of 10 attackers, the number of retried RREQs
required by DCFA5 is approximately 17.3% and 15.5% lower than the number of
retried RREQs required by AODV and DCFA1, respectively.
Figures 6.13(a) and 6.13(b) illustrate very clearly how DCFA (DCFA1 and
DCFA5) suppresses the huge number of spurious RREQs. It is obvious from the
results that when AODV alone is applied, the legitimate nodes are forced to reply to a
massive numbers of forged RREQs. Therefore, the legitimate nodes indirectly
overload the network with unnecessary initiated RREPs. Without applying any of the
two DCFA versions, the legitimate nodes are forced to increase their initiated RREPs
as the number of attackers increases.
In Figure 6.13 (a), under the effect of 10 attackers, the number of initiated
RREPs increases by 99.9% compared with the normal case. However, the number of
initiated RREPs increases by 32.1% and 39.8% when DCFA5 and DCFA1 are applied,
respectively. Moreover, the vulnerability of AODV to RCA causes the average
number of initiated RREPs to increase by 99% and 99.33% compared with DCFA1and
DCFA5, respectively.
(a)
(b)
Figure 6.12 Effect of the number of attackers on the retried RREQs. (a) varying the
number of attackers, (b) the average of retried RREQs
119
(a)
(b)
Figure 6.13 Effect of the number of attackers on the initiated RREPs. (a) varying the
number of attackers, (b) the average of initiated RREPs
6.4
EXPERIMENTAL RESULTS FOR SCENARIO D
Scenario D examines varying attackers radio ranges (200, 250, 300, 350 and 400 m).
Four attackers with flooding rate of 30 RREQ\s are simulated in all the experiments
for this scenario.
6.4.1
Evaluation of Security Performance for Scenario D
As shown in Figures 6.14 and 6.15, varying the radio range of four attackers has a
significant impact on the difference between false positive and true negative rates
recorded by DCFA1 and DCFA5. Mainly,The false positive rate results from the
triggering of RULE 4 by the legitimate nodes DCFA. A small radio range emitted by
attackers means that more chances are provided for RULE 4 to be triggered because as
the attackers increase their radio range, they actually increase their control and
competence on the link. The resultant control and competence prevent one of the
RULE 4 premises, which is low-PAMP, to be fulfilled.
120
Figure 6.14 Effect of the attackers radio range on false positive rate. (a) varying radio
range, (b) the average of false positive rate
Figure 6.15 Effect of the attackers radio range on true negative rate. (a) varying radio
range, (b) the average of true negative rate
Although the false positive rates of both DCFA1 and DCFA2 decrease as radio
range increases, DCFA5 shows lower false positive rates for all the applied radio
ranges (Figure 6.14(a)). At radio range of 200 m, DCFA5 records a false positive rate
that is 79% less than that exhibited by DCFA1. Consistently, in Figure 6.15(a),
121
DCFA5 outperforms DCFA1 at all radio ranges. At radio range of 200 m, DCFA5
records true negative rate that is 13.7% greater than that recorded by DCFA1. Refering
to Figure 6.14(b), The average false positive rate recorded by DCFA5 at all radio
ranges is 88.6% lower than that recorded by DCFA1. Also, as in Figure 6.15(b), the
average true negative recorded by DCFA5 is 8.8% higher than that recorded by
DCFA1. The general behavior of false negative rate under the effect of increasing the
attackers radio range in Figure 6.16(a) is similar to the behavior of false positive rate
in Figure 6.14(a). However, the false negative rate for DCFA1 is 51.5% higher than
the false negative rate for DCFA5 at radio range of 200 m.
Moreover, true positive rate in Figure 6.17(a) exhibits the same behavior as
that of true negative rate in Figure 6.15(a) even though the difference between DCFA5
and DCFA1 is only 0.8% at radio range of 200 m. The increase of radio range
increases the flooding rates of the attackers and the area of the network under their
control. Consequently, the number of connections breaks will threaten more legitimate
nodes. Therefore, the number of legitimate nodes that apply RULE 3 will decrease,
indicating that the average false negative rates recorded at a certain radio range by all
legitimate nodes DCFAs in the network will likewise decrease. In Figure 6.16(b),
DCFA5 outperforms DCFA1 by 59.7% in terms of average false negative rate.
However, in Figure 6.17(b), minimal difference is observed between DCFA5 and
DCFA1 in terms of recorded true positive rate.
122
Figure 6.16 Effect of the attackers radio range on false negative rate. (a) varying
radio range, (b) the average of false negative rate
Figure 6.17 Effect of the attackers radio range on true positive rate. (a) varying radio
range, (b) the average of true positive rate
The resulting accuracy rate in Figure 6.18 shows results consistent with those
in Figures 6.15 and 6.17. Although the effects of true positive and true negative results
appear clearly in the results of accuracy rate, DCFA5 maintains a high accuracy rate at
all radio ranges. In general, as much as the attackers can increase their power and
control, higher correct results will be achieved by DCFA.
123
Figure 6.18 Effect of the attackers radio range on accuracy rate. (a) varying radio
range, (b) the average of accuracy rate
6.4.2
Evaluation of Network Performance for Scenario D
Figure 6.19 confirms the capability of DCFA5 to secure MANET efficiently even if it
has been intruded by attackers with high radio ranges. However, this capability is
degraded when DCFA1 is applied and reaches a throughput equal to zero at radio
ranges of 350 m and 400 m. The efficiency of DCFA1 is reduced under the effect of
high radio range attackers more than AODV. The reason behind this result refers to the
high false positive and false negative rates of DCFA1 and the significant effect of
attackers with high radio ranges.
Numerically, about 100% of the DCFA1 throughput at radio range of 200 m is
completely degraded at radio ranges of 350 m and 400 m. Also, the attackers with
400 m radio range can diminish about 96.9% of the throughput of AODV. However,
DCFA5 loses only 12.3% of its throughput at radio range of 400 m compared with
radio range of 200 m. When the throughput of the three protocols at radio range of
400 m is compared, the throughput of DCFA5 is 100% and 98% higher than that of
DCFA1 and AODV, respectively (Figure 6.19(a)). Additionally, the average
124
throughput achieved by DCFA5 is approximately 83.4% and 72.7% higher than the
average throughput of DCFA1 and AODV, respectively, as shown in Figure 6.19(b).
(a)
(b)
Figure 6.19 Effect of the attackers radio range on throughput. (a) varying radio range,
(b) the average of throughput
In Figure 6.20, DCFA5 tries to keep about the same end-to-end delay at all
radio ranges. However, DCFA1 and AODV are dramatically affected by radio range
increase of the applied attackers. DCFA1 becomes inefficient at radio ranges of 350 m
and 400 m; the end-to-end delay approaches infinity. The high false positive rate of
DCFA1 renders the possibility of initiating shortest path routes rare and very limited,
thereby causing high increase of end-to-end delay at radio ranges of 250 m and 300 m.
The initiated long and non-optimal routes cannot combat attackers with radio ranges of
350 m and 400 m. At a radio range of 300 m, the end-to-end delay for DCFA1
increases by about 76.5% compared with end-to-end delay at a radio range of 200 m.
AODV increases its end-to-end delay by 89.5% at a radio range of 400 m. However,
the difference between the end-to-end delay values (at radio ranges of 200 m and
400 m) for DCFA5 is negligible.
125
Figure 6.20 Effect of the attackers radio range on end-to-end delay

Figure 6.21 shows the energy consumption of the legitimate nodes in transmit
mode. The legitimate nodes that apply AODV alone consume higher energy than
nodes that apply DCFA5 and DCFA1. The legitimate nodes are forced to consume
more of their own energy to transmit forged RREQs flooded by RCA attackers. The
difference between DCFA5 and DCFA1 in terms of the energy consumed by the
legitimate nodes is insignificant. DCFA5 reduces the average energy consumed in
transmit mode by 94.24% compared with AODV. Almost similar to DCFA5, DCFA1
reduces the energy consumed by 94.36% compared with AODV (Figure 6.21(b)).
(a)
(b)
Figure 6.21 Effect of the attackers radio range on energy consumed in transmit mode.
(a) varying radio range, (b) the average of energy consumed in transmit
mode
126
The energy consumed by the legitimate nodes in receive mode in AODV is

clearly suppressed by DCFA5 and DCFA1 as shown in Figures 6.22(a) and 6.22(b).
This finding indicates that DCFA is successful in isolating RCA attackers and
reducing the reception of their bogus RREQs. The average energy consumed in
receive mode increases in AODV by 87.4% and 87.7% compared with DCFA5 and
DCFA1, respectively (Figure 6. 22(b)).
(a)
(b)
Figure 6.22 Effect of the attackers radio range on energy consumed in receive mode.
(a) varying radio range, (b) the average of energy consumed in receive
mode
Figure 6.23 depicts the effect of RCA attackers as they increase their radio
ranges and control on notifying AODV legitimate nodes. Figure 6.23(a) also shows
how DCFA avoids the legitimate nodes responding to RCA attackers. A positive
relationship is created between the energy consumed in idle mode and the increase in
the attackers radio range, resulting from the resistance of DCFA against RCA. AODV
consumes approximately 31.89% and 31.83% less energy than that consumed in
DCFA1 and DCFA5, respectively (Figure 6. 23(b)).
The total energy consumed by the legitimate nodes of AODV, DCFA1 and
DCFA5 at various radio ranges is shown in Figure 6.24(a). The total energy consumed
by the AODV nodes increases as the radio range increases. However, a slight increase
in the total energy consumed by the legitimate nodes of DCFA is observed as radio
range increases. At a radio range 400 m, DCFA1 and DCFA5 reduce the total energy
127
consumed by 62.48% and 62.3% compared with AODV. The average total energy
consumed at all radio ranges is reduced in DCFA5 and DCFA1 by 56.6% and 56.7%
compared with AODV as shown in Figure 6.24(b).
(a)
(b)
Figure 6.23 Effect of the attackers radio range on energy consumed in idle mode. (a)
varying radio range, (b) the average of energy consumed in idle mode
(a)
(b)
Figure 6.24 Effect of the attackers radio range on total energy consumed. (a) varying
radio range, (b) the average of total energy consumed
As shown in Figure 6.25(a), AODV source nodes are forced to retry
broadcasting RREQs many times to initiate a successful route to the required
destination. At increased attackers radio ranges, the retried RREQs also increase
128
steadily. The DCFA1 source nodes are forced to retry broadcasting RREQs under the
pressure of high false positive rates and attack.
At the radio ranges of 200 m and 250 m, the DCFA1 source nodes initiate
more retried RREQs than the AODV source nodes. At the radio ranges of 300 m,
350 m and 400 m, the number of initiated retried RREQs becomes fixed and is less
than that initiated by the AODV source nodes. DCFA5 outperforms DCFA1 and
AODV in reducing the number of initiated retried RREQs. As shown in Figure
6.25(b), DCFA5 diminishes the required retried RREQs by 15% and 16% compared
with DCFA1 and AODV, respectively.
(a)
(b)
Figure 6.25 Effect of the attackers radio range on the retried RREQs. (a) varying
radio range, (b) the average of retried RREQs
Figures 6.26(a) and 6.26(b) show the ability of DCFA to spare legitimate nodes
from responding to faked requests sent by RCA attackers. The AODV legitimate
nodes are forced to reply to the attackers continuous floods of RREQs. Therefore,
AODV is overloaded with numerous initiated RREPs compared with DCFA1 and
DCFA5. The initiated RREPs overload increases as the radio range of the attackers
increases. The results presented in Figure 6.26(b) indicate that the average number of
initiated RREPs by the AODV legitimate nodes increases by 99.7% and 99.8%
129
compared with DCFA5 and DCFA1, respectively. The average number of initiated
RREPs by the DCFA1 legitimate nodes is less than that initiated by the DCFA5
legitimate nodes. This result can be attributed to the long routes that are hardly
initiated when DCFA1 is applied. The long routes prevent most of the source nodes
RREQs from reaching the required destination; therefore, less RREP packets are
initiated in response to the received RREQs.
(a)
Figure 6.26
6.5
(b)
Effect of the attackers radio range on the initiated RREPs. (a) varying
radio range, (b) the average of initiated RREPs
COMPARISON BETWEEN DCFA AND PREVIOUS WORKS
In this section, DCFA is compared with three up-to-date previously proposed AISbased algorithms in the literature review. The algorithms shares DCFA the main
objective of developing AIS-based intrusion detection algorithm with the highest
performance scores. As shown in Table 6.1, seven comparison metrics have been
studied; the detected attacks in specific area, the studied network performance metrics,
the highest improvement (IP) ratio achieved for each studied network performance
metric according to the experiment environment for each study, the studied security
performance metrics, the best ratio achieved for each security metric, the strengths and
the limitations for each study.bhfjnfnfbvhfbvhjfbjvfnvnvhjcnhvbhjcvjcnvfjvnjfhnvhjfv
130
Table 6.1 Comparison between DCFA and previous works

Algorithm / Year
Studied
parameter
DCFA, 2014
ABIDs, 2012
Flooding-based attacks Internet viruses

over application
Detected over network layer in
layer.
attack(s) MANET.
SNAIS, 2010
CIA, 2010
Flooding-based
wormhole
attacks over network attacks over
MAC layer in
layer in WSN.
MANET.
Network TP ETED EC RO
NA
TP
NA
Metrics
IP Ratio 98 100 62.3 99.3
NA
0.5
NA
(%)
Security FP FN TP TN A
MCAV
FP FN TP TN
FP
A
Metrics
Best Ratio 1 0.4 99.6 99 99.2
1
48 52 99 4.84 85.51
4%
(%)
- Making association
- Utilizing danger - Utilizing danger
- Utilizing cobetween an antigen and theory and
theory.
stimulation
its related signals.
Agent-based
concept in HIS.
- Depending on
models.
- Utilizing danger and
empirically
Strengths
fuzzy logic theories.
concluded equation
- Combining between
and weighting values.
anomaly-based and
signature-based ID.
- No security cooperation - No security
between nodes.
cooperation
between nodes.
- Network and
most security
performance
metrics are not
studied.
Limitations
- High false
negative and low
true positive
- High false negative

and low true positive
rates.
- Causing degradation
in network
performance.
- No security
cooperation between
nodes.
- Only throughput is
studied in network
performance metrics.
- The second
stage in SNAIS
is energy
inefficient.
- The security
cooperation
between nodes
is not
authenticated.
- Network
performance
metrics and
most of the
security
performance
metrics are not
tested.
TP: throughput, ETED: end-to-end delay, EC: energy consumption, RO: routing overhead, NA: not
applicable, MCAV: (mature context antigen value). FP: false positive, FN: false negative, TP: true positive,
A:accuracy.mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm
131
The first algorithm compared with DCFA is called an agent-based AIS

(ABAIS) was proposed in (Ou 2012) to detect viruses and internet worms over
application layer. As shown in Table 6.1, the network performance metrics have not
been tested for ABAIS and the only security parameter tested is MCAV which
represents the mature context antigen value and gained the ratio equals 4%. Although
ABAIS combines the relevant features between agent-based systems and AIS-based
systems its dependency on DCA causes high false positive rates and low accuracy rate.
In addition, ABAIS does not support the security cooperation between nodes over
wired network.
The second algorithm compared with DCFA is called the sensor network-based
artificial immune system (SNAIS) was proposed in (Wallenta et al. 2010) to detect a
flooding-based attack called cache poisoning attack over wireless sensor networks
(WSNs). SNAIS has been tested using only one network performance metric which is
the throughput and the best improvement ratio equal 0.5% only. Also, it has been
tested using four security performance metrics which are: false positive, false negative,
true positive and true negative with a best ratios equal 1%, 48%, 52% and 99% for
each respectively.
The third and final algorithm compared with DCFA is called a co-stimulation
inspired approach (CIA) was proposed in (Martin Drozda et al. 2009; Drozda et al.
2010) to detect three types of attacks over MANET: dropping packet, delaying packets
and wormhole attacks. Only two security performance metrics have been tested for
CIA: False positive and accuracy rates. The best ratios gained from the testings are
4.84% and 85.5% for each respectively.
Table 6.1 shows that DCFA has been thoroughly tested over wide range of
network and security performance metrics comparing with the previous works.
Throughput, end-to-end delay, energy consumption and routing overhead have been
tested and the best improvement ratios were: 98%, 100%, 62.3% and 99.3%. In
132
addition, the best ratios achieved for false positive, false negative, true positive, true
negative and accuracy achieved are: 1%, 0.4%, 99.6%, 99% and 99.2% respectively.
This comparison shows clearly the outperformance of DCA over the highlighted
previous works.
6.6
SUMMARY
Security and network performance were tested in this chapter for two versions of
DCFA, namely, DCFA1 and DCFA5. Testing was performed to show the importance
of the value of t threshold. If an input antigen is considered malignant in DCFA1, the
same judgment will be applied at each appearance of the antigen to the algorithm
without any chance for new testing. However, an input antigen is tested five times in
DCFA5; after that, its context can be considered malignant for future appearance. The
conducted experiments show that the difference between DCFA5 and DCFA1 in terms
of false positive and false negative rates is greater than the difference between the two
in terms of true positive and true negative rates. However, DCFA5 outperforms
DCFA1 in almost all the tested performance metrics.
AODV, DCFA1 and DCFA5 were also compared through a set of experiments
that test certain network performance metrics, which are throughput, end-to-end delay,
energy consumed in transmit mode, energy consumed in receive mode, energy
consumed in idle mode, total energy consumed, number of initiated retried RREQs
and number of initiated RREPs. These network performance metrics were tested in
two scenarios. These metrics were selected because they are obviously affected by
RCA as discussed in Chapter IV. This chapter revealed that DCFA5 can resist RCA by
attempting to maintain network performance as high as possible. The fact that DCFA5
outperforms DCFA1 and AODV confirms the high capability and performance of
DCFA5 from network and security points of view. Clearly, t threshold should be equal
to 5 to produce a successful and highly efficient DCFA.
133
CHAPTER VII
CONCLUSIONS AND FUTURE WORKS
7.1
RESEARCH CONTRIBUTIONS
This research adds three main contributions to the literature. Firstly, a new RCA attack
and its countermeasure DCFA models have been developed and added to QualNet
v5.0.2 platform to be implemented over MANET RCA model has been developed to
inject the flooding attack over AODV routing protocol. Also, the countermeasure
model for RCA has been developed to secure AODV routing protocol.
Secondly, new factors have been introduced to implement and analyze RCA
over MANET, specifically, varying number of attackers in combination with
attackers positions and varying attackers radio range and flooding rate. Thirdly and
finally, a new AIS-based algorithm and its related model has been developed and
evaluated. The model has been added to QualNet v 5.0.2 to be tested from both
security and network measurements. Five security performance metrics have been
used to test DCFA specifically, false positive, false negative, true positive, true
negative and accuracy rates. Also, four network performance metrics have been used
to test DCFA such as: throughput, end-to-end delay, energy consumption and routing
overhead.
134
7.2
ACHEIVEMENTS
The major goal of this research is to introduce an efficient, self-defensive and selforganizing algorithm to protect MANET from flooding-based attacks. This goal
involves a set of objectives, which are listed in Section 1.3. The objectives were
carefully achieved throughout the chapters of this thesis. The first objective was
fulfilled in Chapter IV. A comprehensive study of the effect of flooding-based attacks
was introduced. RCA was simulated as an example of a flooding-based attack with
QualNet version 5.0.2. The simulation clarified the performance parameters that affect
RCA attackers effectiveness, such as varying the number of attackers and their
positions and varying the attackers radio range and their flooding rates.
From the experiments performed in Chapter IV, a blueprint for the design of
DCFA was provided. Specifically, if a certain attack is designed to degrade the
performance of a specific routing protocol, the attack designer must firstly, study the
specifications of that routing protocol. Similarly, if a researcher intends to design an
AIS-based intrusion detection algorithm, an investigation of the monitored attack
should be implemented. Thus, the strengths and weaknesses of the observed attack can
be determined. Such determination increases the chances for the designed intrusion
detection algorithm to succeed and defeat the intrusion. For example, as floodingbased attacks depend mainly on the mechanism of flooding high rates of faked
packets, this mechanism forms a signal in DCFA. This signal strongly indicates the
existence of RCA and helps DCFA prepare correct information on the signals
relevant antigen and labels it with the correct context (either malignant or benign).
The second objective of this research is addressed in Chapter V. DCFA was
developed and thoroughly illustrated. The distinctive features of danger theory and
fuzzy logic theory were utilized to produce a hybrid intelligent intrusion detection
algorithm. DCFA was mainly derived from the abstract biological model of DCs in
innate immunity and their interaction with T-cells in adaptive immunity in the human
immune system. Fuzzy logic theory is the heart of the DC function; through it,
multiple signals can be received and their relevant antigens context can be produced.
135
The migration of DCs after maturation triggers NT-cells and controls their response to
the input antigen. The function of T-cells in adaptive immunity was applied in DCFA
in an abstract manner to avoid the application of self-nonself discrimination theory,
which involves the use of negative selection algorithm and leads to a scalability
problem and high false positive rates. HIS modeling and abstraction of certain
functions and principles are what makes DCFA an efficient, self-defensive and selforganizing algorithm.
DCFA was verified in Chapter VI with QualNet v5.0.2 as a simulation tool to
achieve the third objective of this research. The importance of selecting the value of
the t threshold was made clear by comparing the two versions of DCFA, namely,
DCFA1 and DCFA5. Another comparison was conducted to examine the network and
security performance of DCFA1, DCFA5 and AODV. DCFA5 outperforms DCFA1
by scoring lower false positive and false negative rates and higher true positive, true
negative and accuracy rates. Testing helped set the value of t threshold in DCFA to 5
to gain the desired level of performance and efficiency.
DCFA5 proves its capability to secure MANET and maintain its performance
and resources, simultaneously. DCFA5 outperforms AODV by scoring higher
throughput and lower values in the following network performance metrics: end-toend delay, total energy consumed and routing overhead. Although DCFA1 suppressed
the effects of RCA on network energy consumption and routing overhead, it failed
clearly, to maintain high throughput and low end-to-end delay because of its
oppressive connections suppressions. The unfair suppressions in DCFA1 result in high
false positive rates unlike in DCFA5, which is resilient and fault-tolerant. Therefore, it
can be concluded from Chapter VI that DCFA applies a t threshold value that is equal
to 5.
7.3
RESEARCH ADVANTAGES AND LIMITATIONS
DCFA has the potential to become a highly successful AIS-based intrusion detection
algorithm for the following advantages. Firstly; any attack should be activated by an
136
entity (e.g., faked packet) with a certain identity and a set of behaviors to fulfill the
attack purposes. Therefore, the translation of the input routing packets identity into an
antigen and its behaviors into a set of signals allows DCFA to be utilized in the
detection of a wide range of attacks.
Secondly, DCFA performs anomaly detection and depends on its own learning
to perform partial signature detection, which makes DCFA resilient and able to detect
new attack identities even if they are not recorded in MT-cell profiles. The partial use
of signature detection speeds up the detection operation in DCFA and keeps network
performance high. Although anomaly detection yields high false positive rates, DCFA
can deal with this problem very well by setting the t threshold to 5. Each antigen is
provided five chances to be tested before it is transformed to MT-cell profiles. Thus,
the false positive rates in DCFA5 are reduced and the problem in DCFA1 is explained
clearly. This advantage confirms DCFAs potential application to dynamic and noncentralized networks, such as MANET.
Thirdly, although security algorithms are inversely related to the performance
of the protected systems, DCFA maintains its high efficiency and effectiveness. As
presented in Chapter VI, network performance metrics is negatively affected by low
percentages because DCFA is applied under the pressure of increasing the number of
attackers or increasing the attackers radio ranges compared with the normal case (zero
attackers). DCFA increases the performance of AODV routing protocol when an
attack occurs, which means that DCFA not only makes AODV secure enough but also
increases its robustness and performance when attacked.
Finally, unlike (Greensmith 2007; Kim et al. 2006), DCFA does not depend on
the temporal correlation between the incoming antigens and signals. Temporal
correlation depends mainly on the order of the tested input antigens and causes high
false positive rates when antigens with a different context enter the system
simultaneously. Therefore, DCFA establishes the association between an input antigen
and its relevant signals. The relation between an antigen and its signals are arranged
carefully in a gene. The accumulative genes are congregated in TGList in the genes
137
store. This careful data collection and preparation for detection operation increases the
possibility of obtaining low false positive and false negative rates and high accuracy
rate.
However, DCFA has a limitation in finding well-managed collaboration
between mobile nodes in MANET. DCFA operates locally and should be installed in
each node to protect itself; however, if one node confirms the context of a certain
antigen as malignant, it would not broadcast that context to the surrounding nodes.
This limitation increases the possibility of obtaining false negative rates.
Furthermore, cooperation between non-centralized nodes in intrusion detection
strengthens their security systems. However, this cooperation should be applied
between authorized nodes because a group of attackers may join legitimate nodes and
broadcast faked security information on certain legitimate nodes to isolate them from
the network and cause network partitioning.
7.4
SUGGESTIONS FOR FUTURE WORKS
The work presented in this research sparks series of ideas that should be adopted in
future studies as in the following:
i.
The security and network performance of DCFA should also be examined

when applied to detect different types of attacks, such as black hole, Hello
flood, rushing attack, routing table overflow and exploitation of nodepenalizing schemes.
ii.
To cement the advantage of applying the adaptive immunity subsystem in

DCFA. A new version of DCFA can be derived. The new version can be
designed to utilize anomaly detection in innate immunity only. Afterward, a
comparison between DCFA and its new version can be conducted through a set
of experiments that examines DCFA security and network performance
metrics.
138
iii.
DCFA is verified with QualNet 5.0.2 to detect RCA over MANET. DCFA as
an algorithm applied in each node can also be verified with real data set to
examine its reliability and correctness.
All future studies should aim to strengthen DCFA as a novel contribution to
knowledge.
139
REFERENCES
Agrawal, S., Jain, S. & Sharma, S. 2011. A Survey of Routing Attacks and Security
Measures in Mobile Ad-Hoc Networks. Journal of Computing. 3(1): 41-48.
Aickelin, U., Bentley, P., Cayzer, S., Kim, J. & McLeod, J. 2003. Danger theory: The
link between AIS and IDS? International Conference on Artificial Immune
Systems. 147-155.
Aickelin, U. & Cayzer, S. 2002. The danger theory and its application to artificial
immune systems. International Conference on Artificial Immune Systems. 141148.
Aickelin, U. & Greensmith, J. 2007. Sensing danger: Innate immunology for intrusion
detection. Information Security Technical Report. 12(4): 218-227.
Alberts, B. 2002. Molecular Biology of the Cell (4th ed.). New York: Garland Science.
ISBN: 0-8153-4072-9.
Alotaibi, E. & Mukherjee, B. 2011. A survey on routing algorithms for wireless AdHoc and mesh networks. Computer Networks. 56(2012): 940-965.
Alsaqour, R. A., Abdelhaq, M. S. & Alsukour, O. A. 2012. Effect of network
parameters on neighbor wireless link breaks in GPSR protocol and
enhancement using mobility prediction model. EURASIP Journal on Wireless
Communications and Networking. 2012(1): 171.
An, B. & Papavassiliou, S. 2003. Geomulticast: architectures and protocols for mobile
ad hoc wireless networks. Journal of Parallel and Distributed Computing.
63(2): 182-195.
Arslan, A. & Kaya, M. 2001. Determination of fuzzy logic membership functions
using genetic algorithms. Fuzzy sets and systems. 118(2): 297-306.
Avudainayagam, A., Lou, W. & Fang, Y. 2003. DEAR: A Device and Energy Aware
Routing protocol for heterogeneous ad hoc networks. Journal of Parallel and
Distributed Computing. 63(2): 228-236.
Baadache, A. & Belmehdi, A. 2012. Fighting against packet dropping misbehavior in
multi-hop wireless ad hoc networks. Journal of Network and Computer
Applications. 35(3): 1130-1139.
Bas, J. & Neira, A. P. 2003. A fuzzy logic system for interference rejection in code
division multiple access. 2: 996-1001 vol. 1002.
140
Boukerche, A., Turgut, B., Aydin, N., Ahmad, M. Z., Blni, L. & Turgut, D. 2011.
Survey Paper: Routing protocols in ad hoc networks: A survey. Computer
Networks: The International Journal of Computer and Telecommunications
Networking. 55(13): 3032-3080.
Bretscher, P. A. 1999. A two-step, two-signal model for the primary activation of
precursor helper T cells. Proceedings of the National Academy of Sciences.
96(1): 185-190.
Brutch, P. & Ko, C. 2003. Challenges in intrusion detection for wireless ad-hoc
networks. Applications and the Internet Workshops, 2003. Proceedings. 2003
Symposium on. 368-373.
ayrc, E. & Rong, C. 2009. Security in wireless ad hoc and sensor networks. Wiley
Online Library. ISBN: 0470027487.
Chang, K. B., Son, T. H. & Park, G. T. 2006a. Dynamic control of packet transmission
rate using fuzzy logic for ad hoc networks. Computational Intelligence: 13111316.
Chang, K. B., Son, T. H. & Park, G. T. 2006b. A method of controlling packet
transmission rate with Fuzzy logic for Ad Hoc networks. Intelligent Control
and Automation: 138-143.
Chiang, C. C. & Gerla, M. 1997. Routing and multicast in multihop, mobile wireless
networks. IEEE 6th International Conference on Universal Personal
Communications Record 2: 546-551.
Chlamtac, I., Conti, M. & Liu, J. J. N. 2010. Mobile ad hoc networking: imperatives
and challenges. Ad hoc networks. 1(1): 13-64.
Chou, C. H., Ssu, K. F. & Jiau, H. C. 2008. Dynamic route maintenance for
geographic forwarding in mobile ad hoc networks. Computer Networks. 52(2):
418-431.
Coico, R. & Sunshine, G. 2009. Immunology: a short course. Wiley-Blackwell. ISBN:
0470081589.
Cox, E. 1992. Fuzzy fundamentals. IEEE Spectrum Magazine. 29(10): 58-61.
Cui, S., Goldsmith, A. J. & Bahai, A. 2005. Energy-constrained modulation
optimization. Wireless Communications, IEEE Transactions on. 4(5): 23492360.
Dai, H., Jia, Z. & Qin, Z. 2009. Trust evaluation and dynamic routing decision based
on fuzzy theory for manets. Journal of Software. 4(10): 1091-1101.
141
Das, S. K., BS Manoj, B. & Ram Murthy, C. S. 2002. A dynamic core based multicast
routing protocol for ad hoc wireless networks. Proceedings of the 3rd ACM
international symposium on Mobile ad hoc networking & computing. 24-35.
Dasgupta, D., Yu, S. & Nino, F. 2011. Recent advances in artificial immune systems:
models and applications. Applied Soft Computing. 11(2): 1574-1587.
Deng, H., Li, W. & Agrawal, D. P. 2002. Routing security in wireless ad hoc
networks. Communications Magazine, IEEE. 40(10): 70-75.
Drozda, M., Schaust, S., Schildt, S. & Szczerbicka, H. 2009. An Error Propagation
Algorithm for Ad Hoc Wireless Networks. Artificial Immune Systems: 260273.
Drozda, M., Schaust, S. & Szczerbicka, H. 2010. Immuno-inspired knowledge
management for ad hoc wireless networks. Smart Information and Knowledge
Management: 1-26. e Sousa, C. R. 2001. Dendritic cells as sensors of infection.
Immunity. 14(5): 495-498.
Eriksson, J., Krishnamurthy, S. V. & Faloutsos, M. 2006. Truelink: A practical
countermeasure to the wormhole attack in wireless networks. 14th IEEE
International Conference on Network Protocols. 75-84.
Fanelli, R. 2008a. A hybrid model for immune inspired network intrusion detection.
International Conference on Artificial Immune Systems. 107-118.
Fanelli, R. 2008b. Network threat detection utilizing adaptive and innate immune
system metaphors. ISBN: 0549600434.
Fanelli, R. 2010. Further experimentation with hybrid immune inspired network
intrusion detection. International Conference on Artificial Immune Systems.
264-275.
Feeney, L. M. & Nilsson, M. 2001. Investigating the energy consumption of a wireless
network interface in an ad hoc networking environment. INFOCOM 2001.
Twentieth Annual Joint Conference of the IEEE Computer and
Communications Societies. 1543: 1548-1557.
Forrest, S., Perelson, A. S., Allen, L. & Cherukuri, R. 1994. Self-nonself
discrimination in a computer. IEEE Computer Society Symposium on Research
in Security and Privacy. 202-212.
Gelenbe, E., Lent, R., Montuori, A. & Xu, Z. 2002. Cognitive packet networks: QoS
and performance. 10th IEEE International Symposium on Modeling, Analysis
and Simulation of Computer and Telecommunications Systems. 3-9.
142
Gerhards-Padilla, E., Aschenbruck, N., Martini, P., Jahnke, M. & Tolle, J. 2007.
Detecting black hole attacks in tactical MANETs using topology graphs. 32nd
IEEE Conference on Local Computer Networks. 1043-1052.
Ghazali, K. W. M. & Hassan, R. 2011. Flooding Distributed Denial of Service
Attacks-A Review. Journal of Computer Science7 (8): 1218-1223.
Greensmith, J. 2007. The dendritic cell algorithm. University of Nottingham.
Greensmith, J., Aickelin, U. & Cayzer, S. 2005. Introducing dendritic cells as a novel
immune-inspired algorithm for anomaly detection. Artificial Immune Systems:
153-167.
Greensmith, J., Aickelin, U. & Cayzer, S. 2008. Detecting danger: The dendritic cell
algorithm. Robust Intelligent Systems. 12: 89-112.
Greensmith, J., Aickelin, U. & Tedesco, G. 2010. Information fusion for anomaly
detection with the dendritic cell algorithm. Information Fusion. 11(1): 21-34.
Gu, Q., Liu, P. & Chu, C. H. 2007. Analysis of area-congestion-based DDoS attacks in
ad hoc networks. Ad hoc networks. 5(5): 613-625.
Gupta, V., Krishnamurthy, S. & Faloutsos, M. 2002. Denial of service attacks at the
MAC layer in wireless ad hoc networks. 2: 1118-1123 vol. 1112.
Hofmeyr, F. & Forrest, S. 1999. Immunity by design: An artificial immune system.
Proceedings of the Genetic and Evolutionary Computation Conference.
Horikawa, S. I., Furuhashi, T. & Uchikawa, Y. 1992. On fuzzy modeling using fuzzy
neural networks with the back-propagation algorithm. Neural Networks, IEEE
Transactions on. 3(5): 801-806.
A dynamic alternate path QoS enabled routing scheme in mobile ad hoc networks, 1,
14 Cong. Rec. 1-16 (2007).
Intanagonwiwat, C., Govindan, R., Estrin, D., Heidemann, J. & Silva, F. 2003.
Directed diffusion for wireless sensor networking. Networking, IEEE/ACM
Transactions on. 11(1): 2-16.
Iwata, A., Chiang, C. C., Pei, G., Gerla, M. & Chen, T. W. 1999. Scalable routing
strategies for ad hoc wireless networks. Selected Areas in Communications,
IEEE Journal on. 17(8): 1369-1379.
Jacquet, P., Muhlethaler, P., Clausen, T., Laouiti, A., Qayyum, A. & Viennot, L. 2001.
Optimized link state routing protocol for ad hoc networks. IEEE INMIC. 1: 6368.
143
Janeway, C. A. 1998. The road less traveled: the role of innate immunity in the
adaptive immune response-presidential address to the American Association of
Immunologists. Journal of Immunology. 161(2): 539-544.
Janeway, C. A., Travers, P., Walport, M. & Capra, J. D. 2001. Immunobiology: the
immune system in health and disease. (Vol. 1): Current Biology. ISBN.
Janeway Jr, C. A. & Medzhitov, R. 2002. Innate immune recognition. Science
Signalling. 20(1): 197.
Jang, J. S. R. 1992. Self-learning fuzzy controllers based on temporal backpropagation.
Neural Networks, IEEE Transactions on. 3(5): 714-723.
Jetcheva, J. G. & Johnson, D. B. 2001. Adaptive demand-driven multicast routing in
multi-hop wireless ad hoc networks. Proceedings of the 2nd ACM international
symposium on Mobile ad hoc networking & computing. 33-44.
Johnson, D. B. & Maltz, D. A. 1996. Dynamic source routing in ad hoc wireless
networks. Mobile computing: 153-181.
Joshi, M. D., Unger, W. J., Storm, G., van Kooyk, Y. & Mastrobattista, E. 2012.
Targeting tumor antigens to dendritic cells using particulate carriers. Journal of
Controlled Release. 161(1): 25-37.
Juels, A. 2006. RFID security and privacy: A research survey. Selected Areas in
Communications, IEEE Journal on. 24(2): 381-394.
Kapitanova, K., Son, S. H. & Kang, K. D. 2011. Using fuzzy logic for robust event
detection in wireless sensor networks. Ad Hoc Networks. 10: 709-722.
Kargl, F., Klenk, A., Schlott, S. & Weber, M. 2005. Advanced detection of selfish or
malicious nodes in ad hoc networks. Security in Ad-hoc and Sensor Networks:
152-165.
Karlof, C. & Wagner, D. 2003. Secure routing in wireless sensor networks: Attacks
and countermeasures. Ad hoc networks. 1(2-3): 293-315.
Karp, B. & Kung, H. T. 2000. GPSR: Greedy perimeter stateless routing for wireless
networks. Proceedings of the 6th annual international conference on Mobile
computing and networking. 243-254.
Kayarkar, H. 2012. A Survey on Security Issues in Ad Hoc Routing Protocols and
their Mitigation Techniques. International Journal of Advanced Networking
and Application. 3(5): 1338-1351.
Khatri, P., Tapaswi, S. & Verma, U. 2010. Fuzzy based trust management for wireless
ad hoc networks. 168-171.
144
Khoukhi, L. & Cherkaoui, S. 2010. Intelligent QoS management for multimedia

services support in wireless mobile ad hoc networks. Computer Networks.
54(10): 1692-1706.
Kim, J., Bentley, P., Wallenta, C., Ahmed, M. & Hailes, S. 2006. Danger is
ubiquitous: Detecting malicious activities in sensor networks using the
dendritic cell algorithm. Artificial Immune Systems: 390-403.
Klir, G. J. & Yuan, B. 1995. Fuzzy sets and fuzzy logic: Theory and Applications.
Prentice Hall., Upper Saddle River, NJ, USA. ISBN: 0131011715.
Ko, Y. B. & Vaidya, N. H. 2000. LocationAided Routing (LAR) in mobile ad hoc
networks. Wireless Networks. 6(4): 307-321.
Kurosawa, S., Nakayama, H., Kato, N., Jamalipour, A. & Nemoto, Y. 2007. Detecting
blackhole attack on AODV-based mobile ad hoc networks by dynamic learning
method. International Journal of Network Security. 5(3): 338-346.
Kyewski, B. & Derbinski, J. 2004. Self-representation in the thymus: an extended
view. Nature Reviews Immunology. 4(9): 688-698.
Lee, S., Han, B. & Shin, M. 2002. Robust routing in wireless ad hoc networks.
Parallel Processing Workshops, 2002. Proceedings. International Conference
on. 73-78.
Li, W., Parker, J. & Joshi, A. 2012. Security through collaboration and trust in manets.
Mobile Networks and Applications. 17(3): 342-352.
Liang, Q., Wang, L. & Ren, Q. 2007. Fault-tolerant and energy efficient cross-layer
design for wireless sensor networks. International Journal of Sensor Networks.
2(3): 248-257.
Lima, M., Dos Santos, A. & Pujolle, G. 2009. A survey of survivability in mobile ad
hoc networks. Communications Surveys & Tutorials, IEEE. 11(1): 66-77.
Lodish, H. F., Baltimore, D., Berk, A. & Darnell, J. E. 1995. Molecular cell biology.
WH Freeman New York, NY:. ISBN: 142923413X.
Lopes Gomes, R., Moreira Junior, W., Cerqueira, E. & Jorge Abelm, A. 2011. Using
fuzzy link cost and dynamic choice of link quality metrics to achieve QoS and
QoE in wireless mesh networks. Journal of Network and Computer
Applications. 34(2): 506-516.
Lutz, M. B. & Schuler, G. 2002. Immature, semi-mature and fully mature dendritic
cells: which signals induce tolerance or immunity? Trends in immunology.
23(9): 445-449.
145
Mahmood, H. & Comaniciu, C. 2009. Interference aware cooperative routing for

wireless ad hoc networks. Ad hoc networks. 7(1): 248-263.
Mahnke, K., Johnson, T. S., Ring, S. & Enk, A. H. 2007. Tolerogenic dendritic cells
and regulatory T cells: a two-way relationship. Journal of dermatological
science. 46(3): 159-167.
Mamdani, E. H. & Assilian, S. 1975. An experiment in linguistic synthesis with a
fuzzy logic controller. International journal of man-machine studies. 7(1): 113.
Marina, M. K. & Das, S. R. 2001. On-demand multipath distance vector routing in ad
hoc networks. Network Protocols, 2001. Ninth International Conference on.
14-23.
Marti, S., Giuli, T. J., Lai, K. & Baker, M. 2000. Mitigating routing misbehavior in
mobile ad hoc networks. International Conference on Mobile Computing and
Networking: Proceedings of the 6 th annual international conference on
Mobile computing and networking. 6: 255-265.
Matzinger, P. 1994. Tolerance, danger, and the extended family. Annual review of
immunology. 12(1): 991-1045.
Matzinger, P. 2001. Essay 1: the Danger model in its historical context. Scandinavian
Journal of Immunology. 54(12): 4-9.
Matzinger, P. 2002. The danger model: a renewed sense of self. Science Signalling.
296(5566): 301.
Matzinger, P. 2007. Friendly and dangerous signals: is the tissue in control? Nature
immunology. 8(1): 11-13.
McClure, S., Scambray, J., Kurtz, G. & Kurtz. 2005. Hacking exposed: network
security secrets & solutions. McGraw-Hill/Osborne New York. ISBN:
0072260815.
Medzhitov, R. & Janeway Jr, C. A. 2000. How does the immune system distinguish
self from nonself? Seminars in immunology. 12: 185.
Medzhitov, R. & Janeway Jr, C. A. 2002. Decoding the patterns of self and nonself by
the innate immune system. Science. 296(5566): 298-300.
Meisel, M., Pappas, V. & Zhang, L. 2010. A taxonomy of biologically inspired
research in computer networking. Computer Networks. 54(6): 901-916.
Mosmann, T. R. & Livingstone, A. M. 2004. Dendritic cells: the immune information
management experts. Nature immunology. 5(6): 564-566.
146
Murthy, C. S. R. & Manoj, B. 2004. Ad hoc wireless networks: Architectures and

protocols. Prentice Hall. ISBN: 0132465698.
Murthy, S. & Garcia-Luna-Aceves, J. J. 1996. An efficient routing protocol for
wireless networks. Mobile Networks and Applications. 1(2): 183-197.
Nadeem, A. & Howarth, M. 2009. Adaptive intrusion detection & prevention of denial
of service attacks in MANETs. Proceedings of the 2009 International
Conference on Wireless Communications and Mobile Computing: Connecting
the World Wirelessly. 926-930.
Nguyen, H. L. & Nguyen, U. T. 2008. A study of different types of attacks on
multicast in mobile ad hoc networks. Ad hoc networks. 6(1): 32-46.
NIAIDS, U. S. G. 2003. Understanding the Immune System, How It Works. U.S.
National Institutes of Health.
Ning, P. & Sun, K. 2005. How to misuse AODV: A case study of insider attacks
against mobile ad-hoc routing protocols. Ad hoc networks. 3(6): 795-819.
Oshashi, P. S. & De Franco, A. L. 2002. Making and breaking tolerance. Current
opinion in immunology. 14: 744-759.
Ou, C. M. 2012. Host-based intrusion detection systems adapted from agent-based
artificial immune systems. Neurocomputing. 88(2012): 7886.
Park, V. D. & Corson, M. S. 1997. A highly adaptive distributed routing algorithm for
mobile wireless networks. INFOCOM'97. Sixteenth Annual Joint Conference of
the IEEE Computer and Communications Societies. Proceedings IEEE. 3:
1405-1413.
Pei, G., Gerla, M. & Hong, X. 2000. LANMAR: landmark routing for large scale
wireless ad hoc networks with group mobility. Proceedings of the 1st ACM
international symposium on Mobile ad hoc networking & computing. 11-18.
Perkins, C. E., Belding-Royer, E. & Das, S. 2003. Ad hoc On-Demand Distance
Vector (AODV) Routing. IETF MANET Internet Draft.
Perkins, C. E. & Bhagwat, P. 1994. Highly dynamic destination-sequenced distancevector routing (DSDV) for mobile computers. ACM SIGCOMM Computer
Communication Review. 24(4): 234-244.
Perkins, C. E. & Royer, E. M. 1999. Ad-hoc on-demand distance vector routing. 90100.
147
Qualnet Simulator. 1999. Retrieved April, 2012, from http://www.scalablenetworks.com/content/. Access at: 26-12-2010.
Ren, Q. & Liang, Q. 2005. Fuzzy logic-optimized secure media access control
(FSMAC) protocol wireless sensor networks. 37-43.
Royer, E. M. & Toh, C. K. 1999. A review of current routing protocols for ad hoc
mobile wireless networks. Personal Communications, IEEE. 6(2): 46-55.
Sakellari, G. 2011. Performance evaluation of the Cognitive Packet Network in the
presence of network worms. Performance Evaluation. 68 (2011): 927937.
Samar, P., Pearlman, M. R. & Haas, Z. J. 2004. Independent zone routing: an adaptive
hybrid routing framework for ad hoc wireless networks. IEEE/ACM
Transactions on Networking (TON). 12(4): 595-608.
Saqour, R., Shanuldin, M. & Ismail, M. 2007. Prediction schemes to enhance the
routing process in geographical GPSR ad hoc protocol. Mobile Information
Systems. 3(3): 203-220.
Sarafijanovic, S. & Le Boudec, J. Y. 2004. An artificial immune system for
misbehavior detection in mobile ad-hoc networks with virtual thymus,
clustering, danger signal, and memory detectors. Artificial Immune Systems:
342-356.
Sarafijanovic, S. & Le Boudec, J. Y. 2005. An artificial immune system approach with
secondary response for misbehavior detection in mobile ad hoc networks.
Neural Networks, IEEE Transactions on. 16(5): 1076-1087.
Sidhu, D., Fu, T., Abdallah, S., Nair, R. & Coltun, R. 1993. Open shortest path first
(OSPF) routing protocol simulation. ACM SIGCOMM Computer
Communication Review. 23(4): 53-62.
Singh, S., Woo, M. & Raghavendra, C. S. 1998. Power-aware routing in mobile ad hoc
networks. Proceedings of the 4th annual ACM/IEEE international conference
on Mobile computing and networking. 181-190.
Sivakumar, R., Sinha, P. & Bharghavan, V. 1999. CEDAR: a core-extraction
distributed ad hoc routing algorithm. Selected Areas in Communications, IEEE
Journal on. 17(8): 1454-1465.
Sommerville, I. 2004. Software Engineering. International computer science series:
Addison Wesley.
Steinman, R. M. 2000. The dendritic cell advantage: New focus for immune-based
therapies. Drug News Perspect. 13(10): 581.
148
Stibor, T., Mohr, P., Timmis, J. & Eckert, C. 2005. Is negative selection appropriate
for anomaly detection? Proceedings of the 2005 conference on Genetic and
evolutionary computation. 321-328.
Su, X. & Adviser-Boppana, R. V. 2009. Integrated prevention and detection of
byzantine Attacks in mobile ad hoc networks. The University of Texas at San
Antonio. ISBN: 1109298005.
Su, X. & Boppana, R. V. 2008. Mitigating wormhole attacks using passive monitoring
in mobile ad hoc networks. Global Telecommunications Conference, 2008.
IEEE GLOBECOM 2008. IEEE. 1-5.
T Camp, J. B., V Davies. 2002. A survey of mobility models for ad hoc network
research, in Wirel Commun Mob Comput (WCMC). Special issue on Mobile
Ad Hoc Networking: Research, Trends and Applications. 5(2): 483502.
Taneja, S. & Kush, A. 2010. A Survey of routing protocols in mobile ad hoc networks.
International Journal of Innovation, Management and Technology. 1(3): 20100248.
Twycross, J. & Aickelin, U. 2005. Towards a conceptual framework for innate
immunity. Artificial Immune Systems: 112-125.
Twycross, J. & Aickelin, U. 2006. Libtissue-implementing innate immunity. IEEE
Congress on Evolutionary Computation. 499-506.
Van Phuong, T., Canh, N. T., Lee, Y. K., Lee, S. & Lee, H. 2007. Transmission timebased mechanism to detect wormhole attacks. Asia-Pacific Service Computing
Conference, The 2nd IEEE. 172-178.
von Mulert, J., Welch, I. & Seah, W. K. G. 2012. Security threats and solutions in
MANETs: A case study using AODV and SAODV. Journal of Network and
Computer Applications.
Wallenta, C., Kim, J., Bentley, P. J. & Hailes, S. 2010. Detecting interest cache
poisoning in sensor networks using an artificial immune algorithm. Applied
Intelligence. 32(1): 1-26.
Wang, D., Hu, M. & Zhi, H. 2008. A survey of secure routing in ad hoc networks.
Web-Age Information Management, 2008. WAIM'08. The Ninth International
Conference on. 482-486.
Wu, S. X. & Banzhaf, W. 2010. The use of computational intelligence in intrusion
detection systems: A review. Applied Soft Computing. 10(1): 1-35.
149
Xia, H., Jia, Z., Ju, L. & Zhu, Y. 2011. Trust management model for mobile ad hoc
network based on analytic hierarchy process and fuzzy theory. Wireless Sensor
Systems, IET. 1(4): 248-266.
Xia, H., Jia, Z., Li, X., Ju, L. & Sha, E. H. M. 2012. Trust prediction and trust-based
source routing in mobile ad hoc networks. Ad Hoc Networks.
Xie, J., Talpade, R. R., Mcauley, A. & Liu, M. 2002. AMRoute: ad hoc multicast
routing protocol. Mobile Networks and Applications. 7(6): 429-439.
Xu, K., Hong, X. & Gerla, M. 2003. Landmark routing in ad hoc networks with mobile
backbones. Journal of Parallel and Distributed Computing. 63(2): 110-122.
Yao, Z., Jiang, J., Fan, P., Cao, Z. & Li, V. O. K. 2003. A neighbor-table-based
multipath routing in ad hoc networks. Vehicular Technology Conference, 2003.
VTC 2003-Spring. The 57th IEEE Semiannual. 3: 1739-1743.
Yi, P., Dai, Z., Zhang, S. & Zhong, Y. 2005. A new routing attack in mobile ad hoc
networks. International Journal of Information Technology. 11(2): 83-94.
Yih-Chun, H. & Perrig, A. 2004. A survey of secure wireless ad hoc routing. Security
& Privacy, IEEE. 2(3): 28-39.
Zadeh, L. A. 1965. Fuzzy sets. Information and control. 8(3): 338-353.
Zadeh, L. A. 1973. Outline of a new approach to the analysis of complex systems and
decision processes. IEEE Transactions on Systems, Man and Cybernetics. 3(1):
28-44.
Zhang, X., Cheng, S., Feng, M. & Ding, W. 2004. Fuzzy logic QoS dynamic source
routing for mobile ad hoc networks. Proceedings of the 4th IEEE international
conference on Computer and Information Technology (CIT'04). 652-657.
Zhao, Y. 2005. Motion vector routing protocol: A position based routing protocol for
mobile ad hoc networks.
150
APPENDIX A
LIST OF PUBLICATIONS
[1]
Abdelhaq, M., Hassan, R. & Ismail, M. 2013. Performance Evaluation of

Mobile Ad Hoc Networks under Flooding-Based Attacks. International
Journal
of
Communication
Systems.
WILEY.
DOI: 10.1002/dac.2615.
(Indexed by Scopus & ISI, IF: 0.712).

[2]
Abdelhaq, M., Hassan, R. & Ismail, M. 2012. A Study on the Vulnerability of

AODV Routing Protocol to Resource Consumption Attack. Indian Journal of
Science and Technology. 5(11): 3573-3577. (Indexed by Scopus).
[3]
Abdelhaq, M., Hassan, R., Ismail, M. & Israf, D. 2011. Detecting Resource
Consumption Attack over MANET using an Artificial Immune Algorithm.
Research Journal of Applied Sciences, Engineering and Technology. 3(9):
1026-1033. (Index by Scopus, SJR 0.030).
[4]
Abdelhaq, M., Hassan, R. & Alsaqour, R. 2011. Using Dendritic Cell

Algorithm to Detect the Resource Consumption Attack over MANET.
Springer series in Communications in Computer and Information Science.
181(3): 429-442. DOI: 10.1007/978-3-642-22203-0_38. (Indexed by Scopus
& ISI, SJR 0.027).jjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjk
151
[5]
Abdelhaq, M., Hassan, R., Ismail, M., Alsaqour, R. & Israf, D. 2011. Detecting
Sleep Deprivation Attack over MANET Using a Danger Theory-Based
Algorithm. International Journal on New Computer Architectures and Their
Applications (IJNCAA). 1(3): 534-541.
[6]
Abdelhaq, M., Serhan, S., Alsaqour, R. & Hassan, R. 2011. A local intrusion
detection routing security over MANET network. Proceedings of International
Conference on Electrical Engineering and Informatics (ICEEI): 1-6. Bandung,
Indonesia,17-19 July 2011. DOI: 10.1109/ICEEI.2011.6021809. (Indexed by
Scopus & ISI).
152
APPENDIX B
SIMULATION SCREENSHOTS
D1
S1
D2
S2
CBR
RREQ broadcast
Figure B.1 RREQ broadcasting in AODV. S 1 : source node number one, D 1 :

destination node number one, S 2 : source node number two, D 2 : destination node
number two
153
A3
D1
A2
A1
A4
A5
D2
S1
A6
A7
CBR
S2
A9
A8
A10
RCA CBRs
Figure B.2 The random distribution of ten attackers. S 1 : source node number one, D 1 :
destination node number one, S 2 : source node number two, D 2 : destination node
number two, A n : attacker number n; n: 110
154
D1
A1
A2
D2
S1
A3
S2
A4
CBR
RCA flood
Figure B.3 RCA with 200m radio range. S 1 : source node number one, D 1 : destination
node number one, S 2 : source node number two, D 2 : destination node number two, A n :
attacker number n; n: 14
155
D1
A1
A2
S1
D2
A3
A4
S2
CBR
RCA flood
Figure B.4 RCA with 400m radio range. S 1 : source node number one, D 1 : destination
node number one, S 2 : source node number two, D 2 : destination node number two, A n :
attacker number n; n: 14

2014 PHD Maha

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

2014 PHD Maha

Uploaded by

Copyright:

Available Formats

i

ARTIFICIAL IMMUNE FUZZY INTRUSION DETECTION ALGORITHM OVER

THESIS SUBMITTED IN FULFILMENT OF THE DEGREE OF

FACULTY OF INFORMATION SCIENCE AND TECHNOLOGY

ALGORITMA PENGESANAN PENCEROBOHAN IMUN KABUR TIRUAN KE ATAS

TESIS YANG DIKEMUKAKAN UNTUK MEMPEROLEH IJAZAH

FAKULTI TEKNOLOGI DAN SAINS MAKLUMAT

24th March 2014

EFFECTS OF RCA ON MANET

DENDRITIC CELL FUZZY LOGIC ALGORITHM

VERIFICATION OF DENDRETIC CELL FUZZY LOGIC

CONCLUSIONS AND FUTURE WORKS

Non intelligent intrusion detection systems

Intelligent intrusion detection systems

Analogy between innate immunity properties and MANET

Brief overview of the input signals

Brief overview of the output signals

A comparison between T-cells and DCs

Intrusion detection performance metrics

DCFA Model Components

DCFA data structure

Fuzzy sets of input variable s 1

Fuzzy sets of input variable s 2

Fuzzy sets of FLS(Si) output variable

Comparison Between DCFA And Previous Works

Mapping of HIS model and MANET in AIS algorithm

Mobile ad hoc network

MANET routing protocols categories

Attacks over MANET

Main functions of DCs

Main inputs and outputs of DC

Interaction among the input signals

AODV routing protocol

Fuzzy logic mechanism

Temperature membership function

Radio energy dissipation model (transceiver)

Distribution of RCA attackers with different positions

Effect of the number of attackers and their positions on throughput

Effect of the number of attackers and their positions on end-to-end delay

Effect of the number of attackers and their positions on the energy

Effect of the number of attackers and their positions on total energy

Effect of the number of attackers and their positions on the retried

Effect of the number of attackers and their positions on the initiated

Effect of increasing attackers radio ranges

Effect of the attackers radio range and flooding rate on throughput

TGList in genes store

New pictured TGList

FLS applied by each DC

Membership functions of input variable s 1

Membership functions of input variable s 2

Output membership functions for output signal FLS(S i )

Graphical illustration of fuzzy system stages

Effect of the number of attackers on false positive rate

Effect of the number of attackers on true negative rate

Effect of the number of attackers on false negative rate

Effect of the number of attackers on true positive rate

Effect of the number of attackers on accuracy rate

Effect of the number of attackers on throughput

Effect of the number of attackers on end-to-end delay

Effect of the number of attackers on energy consumed in transmit mode

Effect of the number of attackers on energy consumed in receive mode

6.10 Effect of the number of attackers on energy consumed in idle mode

6.11 Effect of the number of attackers on total energy consumed