Professional Documents
Culture Documents
MAHA ABDELHAQ
2014
MAHA ABDELHAQ
2014
iii
DECLARATION
I hereby declare that the work in this research is my own except for quotations and
summaries which have been duly acknowledged.
MAHA ABDELHAQ
P50000
iv
ACKNOWLEDGMENTS
First and foremost, all praise to Almighty Allah for his blessings and patience, as well
as for providing me with good health during this research.
This work is dedicated to the soul of my father, from whom I learned faith,
strength, and determination. This work is also dedicated to my family, especially my
beloved mother, who has shone an everlasting light on my mind and heart. Of course,
this research is dedicated to my husband, Dr. Raed Alsaqour, who not only lives in my
heart, but also shares my thoughts, ideas, and principles in different fields of science. I
am grateful to my husband, who spent so much time guiding me in the best way he
can and surrounding me with care and support.
I am grateful to my great brother, Shawkat Abdelhaq, for his continuous
encouragement, love, and care. I thank my sisters for their unconditional love and
support.
This work is also dedicated to the souls of martyrs (Shohadaa) in my beloved
country, Palestine, and to the Arab revolution martyrs in Tunis, Libya, Yamane, Syria,
and Egypt. I greatly appreciate the Egyptian Muslim Brotherhood for their struggle
and sacrifice. In particular, I would like to show my appreciation for the legitimate
leader of Egypt, Dr. Mohammad Morsi, who taught me many things that are greater
than the limits of completing my PhD studies and of higher value than merely
obtaining a certificate and work. Dr. Morsi taught me determination, patience, and
persistence to pursue my aspirations to achieve a better life for Arab countries and
Muslim Ummah.
I thank my supervisors, Dr. Rosilah Hassan and Prof. Mahamod Ismail, for
their guidance and support. I also thank Immunologist Prof. Daud Israf of University
Putra Malaysia (UPM) for his assistance and advice. Finally, I thank my research
group for their help and friendship and for creating a pleasant working environment
throughout my years of study in Universiti Kebangsaan Malaysia.
ABSTRACT
Mobile ad hoc network (MANET) is a collection of mobile, decentralized and selforganizing nodes that are used in special cases such as military purposes. MANET
properties render its environment vulnerable to different types of attacks namely black
hole, wormhole and flooding-based attacks. Flooding-based attacks are one of the
most dangerous attacks which could paralyze the functionality of the whole network.
In essence, flooding attacks employ a technique which depends on overflowing the
network with bogus packets and can be performed through various types of attacks
which are resource consumption attack (RCA), hello flood, routing table overflow,
rushing attacks and exploiting node penalizing schemes. In order to secure MANET
from attacks, many researchers have introduced intrusion detection algorithms which
are based on artificial immune systems (AISs). This is because AISs utilize the human
immune system (HIS) analogy to introduce efficient, self-defensive and selforganizing algorithms, which could meet the challenges of the MANET environment.
However, the current AIS algorithms lack the generality by which it could secure a
standard routing protocol over MANET from a wide range of attack techniques with
high accuracy and low false positive rates. In addition, research shows less attention
on introducing an AIS algorithm that could reduce the effect of the attack on the main
network performance metrics. The main objective of this research is to develop an
efficient, self-defensive and self-organizing computational intelligent algorithm which
combines the relevant features of danger theory-based AISs and fuzzy logic theory.
This is done by inspiring the detection functionality of dendritic cells (DCs) in the HIS
and the accurate decision making functionality of fuzzy logic theory to introduce an
AIS intrusion detection algorithm called Dendritic Cell Fuzzy Algorithm (DCFA). The
proposed algorithm has been tested and verified by detecting the denial of service
(DoS) attack namely, RCA using QualNet version 5.0.2 simulator over MANET. The
research has found that AIS is efficient for developing intrusion detection algorithms
with high accuracy and low false positive rates. Moreover, the results show the
capability of DCFA to perform the detection operation with high efficiency and
effectiveness.
vi
ABSTRAK
Rangkaian Bergerak ad hoc (MANET) ialah suatu kumpulan nod bergerak, terpancar
dan mengelola-sendiri yang digunakan di dalam kes-kes khas seperti untuk kegunaan
ketenteraan. Sifat MANET menjadikan persekitarannya terdedah kepada pelbagai
jenis serangan seperti black hole, wormhole dan serangan berasaskan-flooding.
Serangan berasaskan-flooding merupakan salah satu serangan yang paling merbahaya
yang boleh melumpuhkan kebolehfungsian seluruh rangkaian. Pada dasarnya,
serangan flooding menggunakan teknik yang bergantung pada limpahan rangkaian
dengan paket palsu dan boleh dilaksanakan melalui beberapa jenis serangan iaitu
resource consumption attack (RCA), hello flood, routing table overflow, rushing
attacks dan exploiting node penalizing schemes. Untuk menyelamatkan MANET dari
serangan, ramai penyelidik telah memperkenalkan algoritma pengesanan
pencerobohan yang berasaskan sistem imun tiruan (AISs). Ini ialah kerana AISs
menggunakan analogi sistem imun manusia (HIS) untuk memperkenalkan algoritma
yang cekap, swapertahanan dan mengelola-sendiri, yang mampu menentang cabaran
persekitaran MANET. Walaupun demikian, algoritma AIS terkini kurang bersifat
umum untuk membolehkan ia memastikan suatu protocol peroutan standard ke atas
MANET yang melindungi dari julat teknik serangan yang luas dengan kejituan yang
tinggi dan kadar positif palsu yang rendah. Tambahan lagi, penyelidikan telah kurang
memberi tumpuan terhadap memperkenalkan suatu algoritma AIS yang boleh
mengurangkan kesan serangan ke atas metrik utama prestasi rangkaian. Objektif
utama kajian ini ialah untuk membangunkan satu algoritma pengiraan pintar ringan
yang cekap, swapertahanan dan mengelola-sendiri yang menggabungkan ciri-ciri
yang berkaitan AISs berasaskan teori bahaya dengan teori logik kabur. Ini dijalankan
secara mengilhamkan fungsi mengesan sel dendritik (DCs) di dalam HIS dan fungsi
membuat keputusan yang jitu teori logik kabur untuk memperkenalkan suatu algoritma
sistem pengesanan pencerobohan AIS yang digelar Dendritic Cell Fuzzy Algorithm
(DCFA). Algoritma yang dicadangkan itu telah diuji dan disahkan secara mengesan
serangan penafian perkhidmatan (DoS), iaitu RCA, menggunakan pensimulasi
QualNet versi 5.0.2 ke atas MANET. Penyelidikan tersebut mendapati bahawa AIS
adalah cekap untuk membangunkan algoritma pengesanan pencerobohan dengan
kejituan yang tinggi dan kadar positif palsu yang rendah. Dan lagi, dapatan
menunjukkan kebolehan DCFA menjalankan operasi pengesanan dengan kecekapan
dan keberkesanan yang tinggi.
vii
TABLE OF CONTENTS
DECLARATION
ACKNOWLEDGMENTS
ABSTRACT
ABSTRAK
TABLE OF CONTENTS
LIST OF TABLES
LIST OF FIGURES
LIST OF ABBREVIATIONS
LIST OF SYMBOLS
CHAPTER I
1.1
1.2
1.3
1.4
1.5
1.6
1.7
INTRODUCTION
Research Background
Problem Statement
Research Objectives
Research Contributions
Research Scope
Research Methodology
Thesis Outline
CHAPTER II
2.1
2.2
LITERATURE REVIEW
Introduction
Mobile Ad hoc Network
2.2.1
MANET Characteristics
2.2.2
MANET Routing Protocols
Security over MANET
2.3.1
Security Primitive
2.3.2
Security Goals
2.3.3
Types of Attacks over MANET
Studies in the Effects of Attacks over MANET
The Human Immune System in Biology
2.5.1
Introduction to HIS
2.5.2
The HIS Cells
2.5.3
Innate and Adaptive Immunity
2.5.4
T-Cells
2.5.5
Dendritic Cells
2.5.6
Self Non-Self and Danger Theories
Fuzzy Logic Theory
Intrusion Detection Systems
2.7.1
Non Intelligent Intrusion Detection Systems
2.3
2.4
2.5
2.6
2.7
Page
iii
iv
v
vi
vii
xi
xii
xv
xviii
1
4
6
6
7
7
8
10
10
11
12
14
15
16
17
20
22
22
23
23
24
25
27
28
29
29
viii
2.8
CHAPTER III
3.1
3.2
3.3
3.4
3.5
3.6
3.7
3.8
3.9
3.10
3.11
CHAPTER IV
4.1
4.2
4.3
4.4
4.5
2.7.2
Intelligent Intrusion Detection Systems
Summary
34
39
METHODOLOGY
Introduction
The Analogy Between MANET and The Innate Immunity
Danger Theory Model
Biological Model of Dendritic Cells
Antigens and Signals
3.5.1
Antigens
3.5.2
Input Signals
3.5.3
Output Signals
Biological Model of T-Cells
Ad Hoc on-Demand Distance Vector Routing Protocol
Vulnerability of AODV to RCA
Fuzzy Logic Theory
3.9.1
Fuzzification
3.9.2
Fuzzy Rules and Fuzzy Inference
3.9.3
Defuzzification
3.9.4
Fuzzy Logic and DC
Simulation Environment
3.10.1 Simulation Parameters
3.10.2 Performance Metrics
3.10.3 Simulation Verification
Summary
41
41
43
44
46
46
47
48
50
51
52
53
54
55
56
57
58
58
59
62
64
66
68
69
70
72
74
76
77
78
80
81
ix
CHAPTER V
5.1
5.2
5.3
83
84
91
91
95
96
99
100
101
103
6.5
105
105
107
107
112
119
119
123
129
6.6
Summary
132
CHAPTER VII
7.1
7.2
7.3
7.4
133
134
135
137
5.4
5.5
CHAPTERVI
6.1
6.2
6.3
6.4
REFERENCES
139
APPENDECES
150
A:
B:
List of Publications
Simulation Screenshots
148
150
LIST OF TABLES
Table No.
Page
2.1
34
2.2
39
3.1
42
3.2
48
3.3
50
3.4
50
3.5
Simulation parameters
59
3.6
60
5.1
86
5.2
94
5.3
96
5.4
98
5.5
99
6.1
130
xi
LIST OF FIGURES
Figure No.
Page
1.1
1.2
Research Steps
2.1
11
2.2
13
2.3
Information security
15
2.4
18
2.5
States of DC differentiations
26
3.1
44
3.2
45
3.3
48
3.4
52
3.5
RCA
53
3.6
54
3.7
55
3.8
61
4.1
69
4.2
71
4.3
72
4.4
73
74
4.5
xii
75
76
4.8
76
4.9
77
4.10 Effect of the attackers radio range and flooding rate on end-to-end delay
78
4.11 Effect of the attackers radio range and flooding rate on energy
consumption in each mode
79
4.12 Effect of the attackers radio range and flooding rate on total energy
consumed
80
4.13 Effect of the attackers radio range and flooding rate on the retried
RREQs
81
4.14 Effect of the attackers radio range and flooding rate on the initiated
RREPs
81
5.1
DCFA model
85
5.2
88
5.3
MTList in MT-cells
89
5.4
95
5.5
95
5.6
97
5.7
98
5.8
100
5.9
103
6.1
107
6.2
108
6.3
110
4.6
4.7
xiii
6.4
110
6.5
112
6.6
113
6.7
114
6.8
115
6.9
116
116
117
118
119
120
120
122
122
123
124
125
6.21 Effect of the attackers radio range on energy consumed in transmit mode
125
6.22 Effect of the attackers radio range on energy consumed in receive mode
126
6.23 Effect of the attackers radio range on energy consumed in idle mode
127
127
128
129
xiv
LIST OF ABBREVIATIONS
ABAIS
agent-based AIS
AC
antigens controller
ADMR
Ag
antigen agent
AIS
AODV
AOMDV
APC
CBR
CEDAR
CGSR
CIA
CPN
CREP
confirmation reply
CREQ
confirmation request
CSM
costimulatory molecules
DC
dendritic cell
DCA
DCMP
DEAR
DGR
DoS
denial of service
DRM
xv
DSDV
DSR
FRREP
FRREQ
FSR
G-BDODA
GPS
GPSR
HIS
H-LANMAR
HSR
IDS
IL-10
interleukin-10
IL-12
interleukin-12
LAN
LANMAR
LAR
location-aided routing
MAC
MANET
MHC
MT-cell
Memory T-cell
NetTRIIAD
NTBR
NT-cell
Naive T-cell
xvi
OLSR
PAMP
PIR
PRR
QoS
quality of service
RCA
RP
responding
RPQ
RREP
route reply
RREQ
route request
RTT
SID-RS
SIFS
SIR
SOC
ST-cell
Suppressor T-cell
TC agent
T-cells agent
TORA
TTM
WRP
ZRP
FN
false negative
FP
false positive
xvii
LIST OF SYMBOLS
E1
E2
E3
P receive
P transmit
P idle
P on
P sp
P tr
Ri
rule number i
receive
transmit
T idle
CHAPTER I
INTRODUCTION
1.1
RESEARCH BACKGROUND
In the last few decades, many researchers have focused on the area of mobile ad hoc
network (MANET) as a wireless network with specific features not found in other
types of networks. The decentralization, rapid deployable topology and open wireless
medium of MANET increase its feasibility for application in rough structured areas,
such as earthquake and war territories. However, these features as well as the
limitations of MANET (i.e., sharing of channel bandwidth and the limitation in the
energy of nodes) make this network very vulnerable to different types of attacks.
2010).mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm
Although DCA is effective in real-time IDSs, its results register a high false
positive alarm rate and low detection accuracy rate because it is sensitive to the order
of the detected data. Thus, our research utilizes the danger theory model in
combination with fuzzy logic theory, (Zadeh 1965) to propose a new DC fuzzy
intrusion detection algorithm (DCFA). DCFA promises high detection accuracy and
low false positive rate. Detection accuracy rate and false positive rate are the main
measurements that indicate the robustness of IDSs. Chapter II, Section 2.5 presents an
overview of HIS in biology to elucidate the importance of DCs biological model in the
human body.
A novel DCFA and its related model are introduced in this study. Using an AIS
inspired algorithm promises to address the challenges of MANETs environment that
make it vulnerable to attacks. No research has been able to meet the requirements for
the detection of all types of attacks (Deng et al. 2002; Lima et al. 2009; Su & AdviserBoppana 2009). Thus, DCFA is verified and tested in this study to detect one of the
flooding-based attacks on MANET, namely, resource consumption attack (RCA).
DCFA can be generalized to detect other types of attacks on MANETs.
Figure 1.1 shows an abstract mapping of HIS and MANET. Each message in
MANET represents a pathogen entering the human body. Each node represents the
human body or a part of the human body. Therefore, each node must apply the
proposed algorithm to protect itself from intrusions similar to how each part of the
human body depends on the immune system to protect itself from dangerous
pathogens.
(a)
(b)
Figure 1.1 Mapping of HIS model and MANET in AIS algorithm. (a) Human immune
system (NIAIDS 2003), (b) MANET
1.2
PROBLEM STATEMENT
Securing MANET is a crucial research issue. The properties of MANET impede the
protection of the networks environment against attacks. MANET as an open area of
wireless mobile nodes allow external attackers to join the network easily and
masquerade legitimate nodes (D. Wang et al. 2008). Moreover, the limited bandwidth
of a MANET also renders its nodes vulnerable to isolation and its communications
susceptible to frequent breaks. Furthermore, the lack of centralized authorization and
security cooperation adds to the susceptibility of the entire network to attacks.
MANET is open to many types of attacks. Flooding-based attacks are the most popular
types of attacks because such attacks and dangerous and effective (Ghazali & Hassan
2011).
HIS is the basis of the intrusion detection algorithms of AISs. These algorithms
detect different types of attacks. For example, Greensmith introduced a novel dangerbased AIS called dendritic cell algorithm (DCA) to detect port scan attack over wired
network (Greensmith et al. 2005; Greensmith et al. 2010). DCA is inspired by the
capability of DCs to receive multiple antigens and signals, as well as reveal the context
of each antigen. However, the processing information fusion of multiple signals and
antigens without any association between each antigen and its related signals increases
the percentage of error in the detection operation. Therefore, DCA suffers from high
false positive rates and low accuracy rates. The AISs introduced by Amaral (2011),
Chelly and Elouedi (2010) and Wallenta et al. (2010) depend mainly on the core of
DCA with certain adaptations. The work done by Amaral (2011) depends on DCA and
uses fuzzy logic theory instead of the fixed weights used in DCA. The introduced
algorithm is applied to detect faults in analog circuits which are out of our research
scope. Chelly and Elouedi (2010) use fuzzy logic in the final stage of DCA to classify
the antigens after each antigen context has been decided according to DCA and its
empirical equation applied by Greensmith (2010), and their enhancement has been
applied to detect abnormality behaviours on a specific data set. Wallenta et al. (2010),
the authors applied DCA over wireless sensor networks (WSNs) to detect a floodingbased attack called cache poisoning attack. As all of the above mentioned algorithms
depend mainly on DCA they, necessarily, suffer from high false positive and low
accuracy rates.
DCFA shares the previously introduced AIS-based IDs in inspiring the DC
biological model in HIS. Antigens and the related signals which represent the detected
attack and its behaviours are utilized by DCFA and the previous works. However,
DCFA makes an association between each antigen and its related signals which is not
performed in the previous works. Also, DCFA does not depend on or enhance any of
the previous works algorithms. It is a standalone developed Hybrid intelligent
algorithm. DCFA combines between the relevant features of both danger theory-based
AISs and fuzzy logic theory. Unlike the works in the literature, DCFA utilizes two
main pathways of intrusion detection operation in its AIS part, primary immune
response pathway (PIR) and secondary immune response pathway (SIR). The use of
each pathway is controlled by DCFA in order to achieve high security and network
performance.
The performance of each intrusion detection algorithm is measured by two
main metrics: false positive and accuracy rates. Current AIS algorithms produce high
false positive and low accuracy rates (Stibor et al. 2005; Wu & Banzhaf 2010). If an
AIS intrusion detection algorithm considers a normal node(s) as an attacker(s) by
mistake, those node(s) will be isolated from the network and the false positive rate will
increase. Hence, many normal nodes will be penalized by the AIS intrusion detection
algorithm as intruder nodes. Faulty detection of normal nodes leads to MANET
partitioning and degrading its performance as well. In contrast, if the AIS intrusion
RESEARCH OBJECTIVES
The core objective of this research is to build a new robust intrusion detection
algorithm for MANET by achieving the following precise objectives:
i.
ii.
iii.
1.4
RESEARCH CONTRIBUTIONS
A new RCA attack and its countermeasure DCFA models have been developed
and added to QualNet v5.0.2 to be implemented over MANET.
ii.
New factors have been introduced to implement and analyze RCA over
MANET, specifically, varying number of attackers in combination with
attackers positions and varying attackers radio range and flooding rate.
iii.
A new AIS-based algorithm and its related model has been developed and
evaluated. The model has been added to QualNet v 5.0.2 to be tested from both
security and network measurements. Five security performance metrics have
been used to test DCFA specifically, false positive, false negative, true
positive, true negative and accuracy rates. Also, four network performance
metrics have been used to test DCFA such as: throughput, end-to-end delay,
energy consumption and routing overhead.
1.5
RESEARCH SCOPE
RESEARCH METHODOLOGY
As shown in Figure 1.2, this research is conducted in five phases; Phase one includes
Building a comprehensive literature review from all types of published documents,
such as papers, surveys and books related to the research scope. Phase two includes
conducting a simulation to analyze the effect of flooding-based attacks, RCA in
THESIS OUTLINE
AODV routing protocol as the underlying routing protocol in this research and its
vulnerability to RCA are also discussed in this chapter. A detailed description of fuzzy
logic theory is presented and the simulation environment design, simulation
parameters and performance metrics employed in the experiments are detailed. The
vulnerability of AODV routing protocol to RCA is discussed comprehensively in
Chapter IV. A set of experiments and a simulation are conducted to determine the
negative effects of RCA on critical network performance metrics.
The formal description of the proposed AIS intrusion detection algorithm
called DCFA is introduced in Chapter V. The capability of the DCFA algorithm to
detect RCA is analyzed in Chapter VI. This chapter also presents the evaluation of the
network performance metrics when DCFA is applied. Finally, Chapter VII provides a
summary of the thesis as well as recommendations for future research.
10
CHAPTER II
LITERATURE REVIEW
2.1
INTRODUCTION
This chapter introduces a review to the work related to this research. It introduces a
background for MANET and its related topics such as routing and MANET special
characteristics. Security issues over MANET are also explained. In addition, this
chapter summarizes a set of research studies in the effects of attacks over MANET.
Furthermore, it reviews the biological concepts and functions of the HIS and discusses
the previously introduced AIS-based and non AIS-based intrusion detection
algorithms.
2.2
11
2.2.1
Manet Characteristics
Many up to date studies pay attention to work on MANET as a new technology with
specific characteristics, which distinguish its environment from other types of
networks. These characteristics are as shown in the following (ayrc & Rong 2009;
von Mulert et al. 2012; D. Wang et al. 2008):
12
2.2.2
Any
introduced algorithm over MANET either for routing or security should deal
efficiently with a set of aspects. It should perform a distributed computing in each
node in a decentralized, self-organizing and self-healing manner. At the same time, the
algorithm over MANET should adjust its functionality to transfer data over limited
bandwidth using limited amount of the energy consumed(Alotaibi & Mukherjee 2011).
In previous years, routing protocols were classified, based on the routing information
updating mechanism, into two main categories: reactive and proactive routing
protocols.
In the current time, scalability problem which arises when using high number
of disseminated nodes and the need of dealing with the limitation in the flying nodes
battery powers consumed, along with the continuous tries of enhancing the previously
introduced routing protocols, all of these new categories of routing protocols over
MANET as appeared in Figure 2.2 (Boukerche et al. 2011).
In reactive (or on-demand) routing protocols, source node requests a route to
destination nodes, when needed, by flooding route request packets throughout its
neighbors in a stage called route discovery. Source node may request to only, one path
(uni-path) to destination node such as in AODV routing protocol.
13
14
The information security as shown in Figure 2.3 is categorized into two main
branches: computer security and communication security. Computer security protects
the host from both the hardware and software intrusions, such as damaging hardware
components and worms or viruses that violate the security services in each part
respectively. Communication security protects the link from passive and active
attacks.
Communication security is divided into two subcategories: transmission
security and emanation security. Transmission security which is the scope of this
research is defined as securing the transmitted data from being revealed to
unauthorized users and securing the link services from being disrupted. Emanation
security secures the visual audio information from being revealed by the receivers
(ayrc & Rong 2009).
15
In any secured system, adding more security functions means adding more
overheads (Sommerville 2004). In MANET this poses a big challenge that may
degrade the network performance. So, securing MANET through lightweight functions
to achieve the intended security goals is very important. It is worthy to say that there is
no perfect 100% secured system in the world.
2.3.1
Security Primitives
Intrusion detection systems formulate a line of defence that captures any malicious
action trying to violate one of the security services. The following intrusion detection
categories are well-known as being used in any intrusion detection technique (Brutch
& Ko 2003):
-
Signature detection: this technique aims to keep all of the well-known attacks
in its database so that it can accurately and effectively detect any encountered
attack. However, this technique fails in detecting newly invented attacks.
Anomaly detection: this technique uses a normal profile for each calculated
parameter which is updated at each period of time. When an abnormal
parameter enters the system, a large enough deviation could reveal the
existence of an attack. The strength in this technique is in its ability to detect
even the newly invented attack. However, it may produce high rates of false
positive alarms.
16
2.3.2
Security Goals
Security is an important aspect in wireless ad hoc networks especially for the more
sensitive applications in military and critical tactical wireless networks. To the best of
our knowledge, until now no research has achieved full secured MANET that is
protected against all the types of attacks (Greensmith 2007; Su & Adviser-Boppana
2009).
However, security systems are doing their best to fulfil as much as they can
from the security goals. The goals of security are to achieve the following
services(ayrc & Rong 2009; Juels 2006; Su & Adviser-Boppana 2009):
-
Access control: protects the nodes and the network resources from being
accessed via unauthorized users.
Integrity: protects the messages transmitted through the link from being
changed along their path by malicious nodes, so they have to be delivered with
the same contents as they were sent by the source node.
Authorization: giving the claimed node the right to either modify the
information or receive it. It is achieved through integrity and authentication
services.
Non-repudiation: ensures that the source node of the message is the one who
sent it in reality and not someone else.
17
Freshness: prevents the malicious node from resending spoofed packets and
renewing the intrusion.
2.3.3
There are many types of attacks that form a real threat when applied on MANET; each
type of attack varies from the other ones in the way of applying the threat, the goal of
attacking and the stack layer that is targeted by the attacker. A summary of the
MANET attacks is shown in Figure 2.4. Some attacks are passive and others are
active. Active attacks may be internal or external. In the internal type of attacking the
attacker is located inside the attacked MANET so it is dangerous as the attacker is
considered at the beginning as a trusted node. However, in the external type of attack
the attacker comes from outside the MANET network so it is easier to be detected as it
is not well trusted. Passive attacks have been only performed internally.
18
Passive attack: in this type of attack, the intruder only performs some kind of
monitoring on certain connections to get information about the traffic without
injecting any fake information. This type of attack serves the attacker to gain
information and makes the footprint of the invaded network in order to apply the
attack successfully. The types of passive attacks are eavesdropping and traffic
analysis(ayrc & Rong 2009); each one is explained as follows:
-
19
Active attack: in this type of attack, the intruder performs an effective violation
on either the network resources or the data transmitted; this is done by causing
routing disruption, network resource depletion and node isolation. Below is a list
of active attacks and brief explanation on each type. Some active attacks depend
on flooding bogus packets mechanism to achieve their threat purposes. The last six
attacks in the list are examples on flooding-based attacks over MANET. All of the
listed attacks lead to DoS attack when lunched over MANET.
Black hole: The intruder injects the control routing packets with fake
information in order to attract the node that requested the route and hence gain
that route. After the intruder acquires the route, the intruder could apply
different types of attacks such as dropping and modifying packets(von Mulert
et al. 2012; Yih-Chun & Perrig 2004).
Gray hole: Same as black hole attack however, when the intruder succeeds in
controlling the route, he selectively drops and modifies the packets (D. Wang
et al. 2008).
Dropping packets: The intruder simply drops a packet into the network
destined for the target node. If it performs a selective dropping, it will be
harder to be detected (Baadache & Belmehdi 2012).
Sybil: In this attack, the intruder masquerades under the identity of multiple
nodes.
20
Selfishness: In this attack, the intruder does not relay the others received
packets and suppresses the other nodes to sleep in along back offs on the
medium access control (MAC) layer so it can use the link any time (ayrc &
Rong 2009; Kargl et al. 2005).
Detour: In this attack, the intruder creates virtual nodes on the optimal routes
to appear longer and costlier than the other non-optimal routes; these forces the
nodes to wrongly use the non-optimal route (ayrc & Rong 2009).
Rushing: In this attack, the intruder broadcasts a route request and reply
packets very quickly in order to make the nodes discard any other control
packet in the network (von Mulert et al. 2012; Yih-Chun & Perrig 2004).
Routing table overflow: In this attack, the intruder overflows the nodes
routing tables with fake routing information (D. Wang et al. 2008).
Hello flood: In this attack, the intruder broadcasts hello messages to all the
network nodes by using strong enough power to be wrongly considered as their
neighbour(ayrc & Rong 2009).
RCA: and also called sleep deprivation attack has been explained extensively
in section 3.8.
2.4
Studying the effect of certain attack over MANET discovers the points of strengths
and weaknesses of such attack. Therefore, this stage of study is considered as primary
before developing stage of a countermeasure to the attack threats. The following
studies introduced an investigation in the effect of certain attack over MANET.
21
In (Gupta et al. 2002),Gupta et al. studied the effects of flooding attacks on the
802.11 MAC protocol. They measured the effects of such attacks on the throughput of
legitimate nodes. The legitimate nodes located one hop from the attackers are affected
at a much higher degree than those at two hops or more because the one-hop
neighbours of the attackers lose almost their entire throughput under suppression
caused by the flooding.
In (Gu et al. 2007), Gu et al. analyzed the effect of the distributed denial of
service (DDoS) attack on the throughput of legitimate nodes in MANETs. They
examined the effect of remote and local flooding attacks and found that remote
flooding more effectively damages MANETs than does local flooding.
However, the authors in (Yi et al. 2005) investigated the effect of executing
RCA over the AODV routing protocol and used packet delivery ratio only as a
performance metric. They observed that when 30 RREQs/s flooding rate is applied;
the RCA attackers decrease about 97% of the packet delivery ratio. At a 20 RREQs/s
flooding rate, however, the attackers decrease about 50% of the packet delivery ratio.
Also, Ning and Sun in (Ning & Sun 2005) introduced a systematic analysis of
the AODV routing protocol under different attack actions. They explained how each
action is executed on each routing packet in AODV and the goal(s) achieved by
manipulating the protocol. The study is useful for researchers who are interested in
designing secure routing protocols, but the authors tested only one attacker.
Furthermore, they did not consider the vulnerability of AODV to RREQ packet
flooding attack, which strongly threatens the power capacity of network batteries.
In (Nguyen & Nguyen 2008), the authors simulated the effect of four types of
attacks, namely, rushing, black hole, neighbor and jellyfish attacks, on MANET. They
applied the attacks over the on-demand multicast routing protocol and found that as
the number of attackers increases, network performance decreases in all the four types
of attacks. They also determined that increasing the number of sender groups in
multicast routing protocols supports robustness and security.
22
As immunology forms a wealth full of biological models and concepts from where
computer scientists inspire their introduced AIS algorithms, it is important to
understand HIS in biology through this section as a background science for any
coming discussion of AIS algorithms in this research.
2.5.1
Introduction to HIS
HIS is considered as a network of cells, molecules, tissues, organs (some are lymph
nodes) that cooperate with each other to protect the human body from invaders.
Human body invaders in biology are termed as pathogens and antigens. Pathogens are
defined as the microbes that cause disease for the human body such as, bacteria,
viruses, parasites and fungi. However, antigens are the molecules or protein segments
(peptides) from pathogens. HIS can recognize pathogens through their correlated
antigens. Each antigen has a specific structure and hence forms a specific pattern to be
detected and processed by the HIS. As a consequence, HIS can recognize its related
pathogen and take the decision either to tolerate or fight that pathogen. (Janeway et al.
2005; NIAIDS 2003).
23
2.5.2
In biology, cells are the main structural units which build all of the human body
systems such as, digestive, immune, lymphatic and cardiovascular. In any organism
system, specific functionality types of cells are congregated to form a particular tissue.
In the same way, the collection of same characteristic tissues forms a specific organ.
However, a group of cooperatively same functioning organs work together in same
biological system such as HIS.
The state of cells in HIS is in continuous interactions with human body tissues
environment from one side and with each other in the immune system from another
side. Each cell has receptors which are proteins that bound to the outer membrane of a
cell. These receptors have the capability to recognize various types of the incoming
molecules from body tissues in a lock and key manner. The binding between certain
receptor and molecule called affinity which reflects how much strong the binding is.
This affinity causes receptor activation which leads to many changes for the cell
metabolism, morphology and functionality.
A Molecule reacts to a certain receptor through its epitope portion, whilst a
receptor does the reaction through its paratope portion. Molecules which secreted
from body tissues and control cell behaviors are called cytokines. However, those that
cause immune cells to move and migrate are called chemokines (Alberts 2002; Lodish
et al. 1995). Cells in HIS are divided into two main categories, phagocytes (or Antigen
presenting cells (APCs)) such as, DCs, Granulocytes and Macrophages in the innate
immunity and lymphocytes such as, T-cells and B-cells in the adaptive immunity
(NIAIDS 2003). This requires explaining the two main cooperative HIS subsystems in
subsection 2.5.3.
2.5.3
HIS is usually divided into two main subsystems: innate immunity and adaptive
immunity. Each of which has specific functions and characteristics. Specifically,
innate immunity specialized in identifying the general pattern of the incoming
pathogens and inducing adaptive subsystem to determine an exact response (either
24
T-CELLs
All of the human bodys cells are born from stem cells initiated from bone marrow
through stimulation operation. T-cells are born in the same way; however they do not
keep static in the HIS but undergo to a circular differentiation as a response to the
incoming signals (molecules). For example, when T-cells receive signals, this induces
its capability to produce cytokines and to be differentiated. Also, these cytokines may
influence other cells to be differentiated such as B-cells in the adaptive immunity.
The maturation place for T-cells is in a lymph node called thymus. In thymus,
T-cells go through two main maturation operations: positive selection and negative
selection. These operations are performed over T-cells in order to protect the human
body from autoimmunity. In other words, these operations filter the T-cells to avoid
them from binding with any of the human body antigens (self antigens). In positive
selection, T-cells that show a weak binding with non-self antigens are killed. In
negative selection T-cells that show strong binding with self antigens are killed
(Kyewski & Derbinski 2004).
After maturation stage, T-cells can be termed as nave T-cells since they have
never met the antigens which can bind with their receptors. This type keeps moving
25
through lymphatic and cardiovascular systems, body tissues until they encounter DCs
in the lymph nodes as explained in the forthcoming subsection.
2.5.5
Dendritic Cells
DCs have three main differentiation states, immature, semi-mature and mature. When
immature DCs receive enough input signals, they become either semi-mature or
mature DCs based on the concentration of specific types of these input signals.
Immature DCs receive four types of input signals, PAMP, danger, safe and
inflammation signals. PAMP signals indicate strongly the existence of infectious
pathogen. Danger signals are released by necroses which are the human body cells
under stress or abnormal death. However, safe signals are released by apoptosis which
are healthy cells or cells that die in a normal way. Inflammation signals are released as
a result of an increase in the cells temperature caused from unhealthy state or
infection. DCs input signals are divided into, endogenous and exogenous signals.
Endogenous signals are those released from the cells of the body itself such as safe,
danger and inflammation signals. However, exogenous signals are the signals released
from the microbes which inter the human body from the outside environment. An
example of this type is PAMP signals (Dasgupta et al. 2011).
When immature DCs are exposed to these input signals, the concentration of
each controls their next terminal differentiation state (either mature or semi-mature
DCs). For example, if the concentration of the received PAMP signals and danger
signals are greater than that of safe signals, this means the differentiation of immature
DCs is to mature DCs. PAMP and danger signals cause the receiver immature DCs to
process its contents and produce a certain cytokine called interleukin-12 (IL-12). Also,
PAMP and danger signals induce immature DCs to produce costimulatory molecules
(CSM), also called CD80/86 in biology.CSM signal simplifies the process of antigen
presentation to the T-cells in lymph nodes. Conversely, if the concentration of safe
signals is greater than that of PAMP and danger signals, then immature DCs should
differentiate to semi-mature DCs. Also, safe signals are responsible for producing
interleukin-10 (IL-10) in this case. Additionally, safe signals induce producing CSM
signals by the DCs same as PAMP and danger signals. Therefore, the received input
26
signals indicate the behavioral context of the digested antigens if either they are benign
or malignant.
Figure 2.5 pictures the three differentiation states of DCs. Although DCs have
same receptor structure in the three differentiation states; they appear different in their
morphology. As noticed in Figures 2.5 (b) and (c), semi-mature and mature DCs have
wider surfaces than immature DC. The reason behind that refers to increasing the
capability of both mature and semi-mature DCs to show their receptors and bind with
T-cells receptors when they are encountered in lymph nodes.
(a)
(b)
(c)
Figure 2.5 States of DC differentiations. (a) immature, (b) semi-mature, (c) mature
(Greensmith et al. 2010)
When immature DCs collect antigens from tissue, the antigens should be
digested into small segments of proteins called peptides. Major histocompatibility
complex (MHC) helps in presenting the peptides on the surface of the DCs
formulating a combination of peptide-MHC, so that it could be easily recognized by Tcells. When immature DCs have been exposed to certain amounts of signals, they
migrate to the lymph nodes in which they encounter naive T-cells (NT-cells). The
capacity of each immature DC for antigens and signals besides the concentration of the
external signals that causes immature DCs to migrate are still ambiguous issues in
immunology (Greensmith 2007).
Activation of T-cells in the lymph node needs two signals to take place. The
first signal occurs when the T-cells epitopes bind with the peptide-MHC on the surface
of the DCs in both cases of danger and safe existence. The second signal is either
emitted from the fully mature DCs as IL-12 to stimulate the T-cell to fight in the
danger state, or is emitted from the semi-mature DCs as cytokine IL-10 to suppress the
27
naive T-cell in the safe state (Bretscher 1999; e Sousa 2001; Oshashi & De Franco
2002).
The communication between DCs and T-cells is an example of the costimulation concept applied by the immune system. Through co-stimulation, HIS cells
transfer in a path of changes and may produce a population of cells to fight against the
incoming danger. For instance, when naive T-cells bind with mature DCs and receive
IL-12, they pass through a set of differentiation processes in a term called clonal
expansions. Clones are then differentiated into memory T-cells (MT-cells) and
suppressor T-cells (ST-cells). One type of effector T-cells called cytotoxic T-cells
which are responsible for killing the incoming pathogen. MT-cells memorize the
recognized malignant pathogen to take a quick fighting response for that pathogen as
soon as it is detected in the body tissues. This type of quick and effective reaction to
the pathogens is called secondary immune response (SIR). However, if the immune
system needs to learn that pathogen through a long time of collection and activation
processes this termed as primary immune response (PIR)(Janeway et al. 2005).
2.5.6
In (Forrest et al. 1994) the authors proposed a self non-self discrimination theory that
has been considered as the essential base for AIS to detect intrusions. Some up-to-date
studies still believe in its correctness and some follow its competitor the danger theory
proposed by Matzinger (1994, 2001, 2002 and 2007). In self non-self, the HIS
tolerates all of the self antigens and fights against all of the non-self ones. Negative
selection is the main operation in the self non self theory. In negative selection, the Tcells which match with self antigens are killed and hence, the remaining T-cells are
considered as detectors for the non-self antigens. Applying negative selection in AIS
results in a drawback of scaling problem that leads to increasing false positive and
false negative alarm rates.
Danger theory takes the decision of fighting the antigen if the danger state
exists. So unlike self non-self, in danger theory the state of danger or safety that
reflects the antigen behaviour is the basic discrimination rule to be considered as
normal or attacker. Danger theory is more efficient because not all self antigens are
28
stable and safe to be tolerated and not all foreign antigens are harmful; for example,
some types of bacteria are useful for making vitamin K for the body. Also according to
Matzinger (1994) there is an ambiguity on the exact definition of self and nonself. In real life, the human immune system does not tolerate the whole self set and
attacks the whole set of non-self. The theory has been developed over the years 2001,
2002 and 2007 (Matzinger 1994, 2001, 2002, 2007). A biological example on the
danger theory model is the interaction between DCs and naive T-cells.
2.6
Fuzzy logic theory (Cox 1992) offers a natural way of representing and reasoning with
human knowledge involving uncertainty and ambiguity. Fuzzy logic was introduced
by Zadeh; a professor of computer science at the University of California in 1965.
Zadehs fuzzy logic theory (Zadeh 1965) provides a robust mathematical model for
dealing with real-world inaccurate data. This theory can be used as a general
methodology to incorporate knowledge, heuristics or theory, into controllers and
decision makers. Zadeh presented the concept of fuzzy logic as a mathematical model
to represent human thought. Fuzzy logic is basically a multi-valued logic that allows
intermediate values to be defined between conventional values like cool and hot.
Notions like freezing, cool, warm or hot can be formulated mathematically and
processed by computers. In this way, an attempt is made to apply a more human-like
way of thinking in the programming of computers and the control of systems.
MANETs are complex and dynamic environments with a substantial number of
uncertainties associated with network and environmental parameters. Moreover,
MANETs are subject to unexpected overloads, failures and they defy accurate
analytical modeling. For that, fuzzy logic appears to be a promising approach to
address many important aspects of current complex MANETs. Numerous fields have
taken advantage of fuzzy logic properties. In MANETs, fuzzy logic has been used to
improve decision-making, reduce resource consumption and increase performance. In
addition, fuzzy logic has been used to adaptively optimize protocol parameters more
accurately and dynamically. Several areas in which fuzzy logic is applied to include
QoS-based routing (Huang et al. 2007; Khoukhi & Cherkaoui 2010; Lopes Gomes et
al. 2011; Xia et al. 2012; Zhang et al. 2004), energy-aware routing (Chang et al.
29
2006a, 2006b; Liang et al. 2007), security (Dai et al. 2009; Kayarkar 2012; Khatri et
al. 2010; Xia et al. 2011) and MAC protocols (Ren & Liang 2005).
2.7
This section sheds light on two categories of IDSs. Firstly, the non-intelligent-based
IDSs as shown in subsection 2.7.1. Secondly, the intelligent-based IDSs as appeared in
subsection 2.7.2. Subsection 2.7.1discusses many techniques that have been
introduced to overcome specific types of attacks that is lunched over specific protocol
layer (e.g. network layer or data link layer). However, in subsection 2.7.2, a historical
development of some best known AIS intrusion detection algorithms and frameworks
are thoroughly explained. As AIS-based IDSs are newly developed, a few researches
have applied this type of IDSs over MANET. Therefore, some of the mentioned
algorithms have been developed over wired networks, some are applicable over
MANET and only one (according to the best of our knowledge) has been applied over
WSNs.
2.7.1
Ping et al. (2006) presented flooding-based attack called Ad Hoc Flooding Attack
(AHFA). In AHFA, the intruder broadcasts high rate of RREQ packets towards certain
targeted nodes over MANET in order to consume its energy and the network
bandwidth. The authors proposed a simple mechanism to detect such attack called
Flooding Attack Prevention (FAP). In FAP, each node calculates the rate of receiving
RREQ packet from each node, if that rate exceeds certain threshold it denies dealing
with the requests coming from the intruder. In this work, the authors tested their
proposed mechanism using only one network performance metric which is packet
delivery ration. Accordingly, the mechanism improves the packet delivery ratio only
by 30% compared with the case of zero protection under the effect of AHFA. The
mechanism is failed when the attacker changes its IP address each time it floods its
faked RREQ and cannot be detected by the proposed FAP.
Liu and Shen (2007) proposed a mechanism to mitigate flooding attack which
causes denial of the service from the normal nodes in MANET. According to the
30
proposed mechanism, each legitimate node has to monitor its neighbours and the
traffic coming from each of them. Consequently, each legitimate node should arrange
its buffer by giving certain partition or space for each. For example, if a legitimate
node has n neighbours it should give 1/n space from its buffer for each only. If the
legitimate node receives more than 1/n from any of the neighbours it will simply
discard the packets coming from that neighbor. This mechanism fails in the mobility
environment of MANET because it does not consider distinguishing between
legitimate neighbours and attackers identities. If a group of attackers keep their
movements among legitimate nodes they will have a buffer space in each legitimate
node to inject their flood of faked packets and will succeed in exhausting the network
resources.
Venkataraman et al. (2009) proposed a trust-based mechanism through which
each legitimate node should classify the neighboring nodes into three levels of
trustiness: friends (most trusted), acquaintances (trusted) and strangers (not trusted).
This classification is done according to certain parameters without using any of the
intelligent methods. The considered parameters are, the ratio of forwarded packets by
neighbours compared with the sent packets, the average time response of the neighbor
to route request and the number of intact received packets from that neighbours
compared with the number of the received packets. This mechanism fails in the same
failure scenarios of watchdog bellow.
Kim and Song (2010) proposed a period-based defence mechanism (PFM) to
detect flooding attack which floods request packets and data packets in order to
exhaust network resources such as bandwidth and nodes power capacity. In this
mechanism, each legitimate node should calculate the deviation of each received
packet from the average reception in each period of time. The packets that exceed
certain threshold of deviation are termed in blacklist for that period of time. The
blacklisted packet is then discarded and not forwarded in the next period of time. The
blacklisted packets are recalculated in each period of time which adds computational
overhead on the system and gives the attacker a new chance to inject its flooded faked
packets.
31
Marti et al. (2000) introduced watchdog which detects dropping packets attack
over data link layer. Watchdog overhears whether or not the neighbouring node
forwards the sent packet to the next hop node. This method of overhearing consumes
the nodes limited power in MANET. Also, this method fails when a collision occurs,
or the malicious node changes its power to make it include the previous node but not
the next one.
Lee et al. (2002) applied intrusion detection over DSR routing protocol to
detect black hole attack. The method requires the intermediate node to send route
confirmation request (CREQ) packet to the next hop node on the downstream. When
the next hop node receives the CREQ packet, it checks its cache for a route to the
destination. If it has one, it sends route confirmation reply (CREP) to the source node
in its route information. The source judges the validity of the route in the RREP packet
previously received by comparing its contents with the one in the received CREP
packet. This method is simple and accurate. However, it causes high routing overhead
which leads to degrading the network throughput and performance.
32
33
Eriksson et al. (2006), Phuong et al. (2007), Su and Boppana (2008) and Su
(2009) proposed a time-based wormhole intrusion detection technique. True-link
(Eriksson et al. 2006) which applied its detection technique over MAC is applicable,
as it is based on a widely used protocol with some extensions. But, there is no
flexibility in the time out which is equal to short inter frame space (SIFS) as
mentioned by True Link. As a result, a false positive alarm may arise if there is a
congestion or traffic load on the link.
Transmission time-based mechanism (TTM) (Van Phuong et al. 2007) depends
on the round trip time (RTT) to detect the wormhole attack. TTM is a simple and
accurate technique that could allocate the position of the wormhole attack in the path.
But, the attackers on the tested path may write a fake RTT value to be the same as the
RTT written by the normal nodes, which increases the false negative rate.
Su and Boppana (2009) put forward certain equations to detect the wormhole
attack, but these equations include some parameters which must be filled by the
detected node which opens the chance for the attacker to fill fake information and
hence overcome the security detection system. True-link is the most self dependable
technique since it does not depend on any outer node to get the required information
for an intrusion detection technique.
Finally, Li et al. (2012), the authors proposed a collaborative and
multidimensional trust-based intrusion detection algorithm for securing MANET. The
proposed algorithm is called gossip-based distributed outlier detection algorithm (GBDODA).G-BDODA identifies the outliers which are defined by the authors as
abnormal behaviours shown from mostly likely attackers. Also, G-BDODA uses a
multi-dimensional management approach to estimate the honesty of the nodes using
different perspectives. The algorithm is efficient and accurate but suffers from routing
overhead drawback. Table 2.1 summarizes the previous non AIS-based intrusion
detection systems.
34
Year Contribution
Strengths
Drawbacks
Li et al.
H. Kim &
Song
Venkatarama
n et al.
Su &Boppana
2012 G-BDODA
2010 PFM
-accurate
-simple
-routing overhead
-not accurate
2009 Trust-base
mechanism
2008 NEVO
-simple
-consume energy
-fail in some cases.
- not self dependable.
Kurosawa et
al.
Padilla et al.
Phuong et al.
Liu and Shen
Ping et al.
-simple
-self dependable
Lee et al.
Deng et al.
2002 SID-RS
Marti et al.
2000 Watchdog
- low FP
2.7.2
- Susceptible to FP
-consume energy
-fail in some cases.
Chelly and Elouedi (2010) introduced using fuzzy logic set in the last stage of DCA
proposed by (Greensmith et al. 2005) to smooth the separation between the normality
and abnormality in the calculated mature context antigen value (MCAV). The fuzzy
logic system consists of two parameters; the first parameter is the semi-mature DCs,
and the second parameter is the mature DCs. The defuzzification stage determines the
final maturity state of each DC and the antigens final context are more accurately
decided. The proposed fuzzy dendretic cell method (FDCM) is tested on a set of data
bases and the results achieve more accurate results than DCA. However, since FDCM
adds little enhancement on DCA and the core of calculating the received antigens
contexts depends mainly on DCA, FDCM still suffers from the same drawbacks of
high false positive rate and low accuracy rate especially when normal and abnormal
antigens are tested simultaneously (Chelly & Elouedi 2010).
35
36
The main drawback in this work is the high false positive alarm rate and low detection
accuracy rate (Hofmeyr & Forrest 1999).
Sarafijanovic and Le Boudec (2004, 2005) introduced the first studies that
utilized AIS to be applied over MANET (Meisel et al. 2010). The detection is applied
over network layer. They depend on a co-stimulation concept represented by a danger
signal to inform about the packet loss on the connection path. In the proposed AIS
architecture, the Thymus module performs a negative selection operation. The danger
module produces the danger signal if no acknowledgment is received for the sent
packet. The clustering module is used to verify the detection. And the clonal selection
module is used to decrease the false positive rate by enhancing the detectors quality
(Sarafijanovic & Le Boudec 2004, 2005).
The proposed AIS registered a detection rate of about 55% but the whole
system could only detect a simple dropping packet attack.
2008 and 2010) proposed a new DC-based Algorithm called DCA over wired network.
The algorithm is considered as a main contribution to the danger project established by
Aickelin et al. (2003). It is also built over the libtissue architecture (Twycross &
Aickelin 2006). It is inspired from immunological studies on DCs because of their
desired positive characteristics such as the following:
-
DCs are described as forensic navigators that are distributed all over the tissues
in order to protect the body from invaders.
DCs perform anomaly detection in HIS after they collect antigens and the
correlated signals.
DCs have the power of controlling the adaptive immunity reaction by either
stimulating T-cells or suppressing them.
The algorithm is verified by detecting a port scanning attack (McClure et al.
2005) over a wired network. It proved good results in real time IDS but produces high
false positive and false negative alarm rates.
Kim et al. (2006) and Wallenta et al. (2010) the authors used a theoretical
integration between the DCA and
37
38
Cooperation between each node and its 2-hops neighbor nodes is required to
exchange the calculated security information. If the first step detects the existence of
an attacker, it stimulates the second step of detection which is energy inefficient and
used for confirmation. Otherwise there is no need for that energy inefficient stage
because it depends on overhearing the packets sent by the neighbor to the 2-hops
neighbor (watchdog). A neural network mechanism is used to improve the CIAs
optimization. However, it has many drawbacks. Firstly, the cooperation between each
2-hops neighbor in the detection causes traffic overhead. Secondly, the 2-hops
neighbor may not be trusted. Finally, the algorithm depends mainly in its confirmation
stage on the watchdog which fails in many cases mentioned in subsection 2.7.1.
Ou (2012) combines the features of DCA and agent-based IDS to introduce an
agent-based AIS (ABAIS). The aim of the proposed ABAIS is to be applied over
internet to detect viruses and internet worms. ABIDS architecture consists of three
main agents in each host, DC agent, T-cells agent (TC agent), antigen agent (Ag agent)
and agent resides in a security operating centre (SOC), namely responding agent (RP).
Ag agent extracts the required antigens for testing from certain data set. DC agent
performs the role of DCA; it receives the extracted antigens and available signals to
produce context value for each antigen. If the context of the tested antigen becomes
mature, Ag agent transfer this result to TC agent as an activation procedure. TC agent
in turn sends antigen MCAV to RP agent. However, RP agent determines if the
antigen is malicious or not in order to make decision of the appropriate response
adopted from SOC (Ou 2012).
Three main factors are adopted in ABIDS to determine the type of the network
intrusion, severity, certainty and the time of attack. These factors are represented in a
vector. The maximum distance between each factor value and certain threshold
indicates the classification of the antigen context if it is normal, harmlessly abnormal
or harmfully abnormal. In this work, the combination between DCA and Agent-based
IDSs relatively adds an advantage to its contribution. However, the dependency on
DCA adds the drawbacks of that algorithm (mentioned in section 1.1) to its detection
operation. Also, if an external attacker joins the system he can represent TC agent
inside his host and communicate with the TC agents of the other host to inject faked
39
security information.
detection systems.
Table 2.2 Intelligent intrusion detection systems
Authors
Year
Contribution
OU
2012
ABAIS
-high FP
Chelly &
Elouedi
Dickerson &
Dickerson
Hofmeyer&
Forrest
Sarafijanovic&
Boudec
2010
FDCM
-high FP
2000
FIRE
-overhead
Self non-self
algorithm
2004-2005 First AIS
over MANET
-no strength
-high FP
-Accurate
-detect simple
attack
Drozda et al.
2009-2010 CIA
-watchdog
dependent
Fanelli
2008-2010 NetTRIIAD
-Detect 3attacks
Kim et al.
-use negative
selection
-high FP
Greensmith
2005-2010 DCA
-Utilizes DC model
-high FP
Sujatha et al.
2008
-high FP
2.8
1999
FBRM
Strength
Drawback
SUMMARY
This chapter has reviewed the concept of MANET as a wireless network with special
characterized environment that requires special security techniques and routing
algorithms. The lighter the algorithm (either for security or routing purposes) is
applied over MANET, the more efficiency and effectiveness it could achieve. Also, in
security field, IDSs are not only required to detect intrusions, but also they have to
perform the detection with low false positive and high accuracy rates which are two
major challenges for IDSs over MANET.
40
41
CHAPTER III
METHODOLOGY
3.1
INTRODUCTION
This chapter describes the methodology utilized to derive DCFA. Two main
computational intelligent theories are applied: danger theory represented in its abstract
DC model and fuzzy logic theory. It utilizes the biological DC model includes
different components and functions, which are clarified in this chapter. The DC
model's components, such as input antigens and input signals and their effect on the
resultant output signals are thoroughly explained. The operation stages of DCs during
their life span are illuminated. These stages include collection stage, processing stage
and immune response control stage. This chapter also provides details on how DCFA
abstracted the biological model of T-cells to be utilized in a useful manner in two
detection pathways, namely, PIR and SIR pathways. The utilization of fuzzy logic
theory is also clarified in each step of its fuzzy stages.
3.2
Innate immunity in biology has an important role in detecting danger coming from the
external environment. It consists of forensic navigator cells, which navigate through
different body tissues to protect such tissues from dangerous pathogens. Innate
immunity cells as mobile, self-organizing, flexible cells inspires the analogy between
the special characteristics of the MANET environment and the abstract features of the
innate immunity environment presented in the study of (Twycross & Aickelin 2005).
Table 3.1 illustrates the analogy between the general innate immunity properties and
the corresponding MANET characteristics.nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn
42
Table 3.1 Analogy between innate immunity properties and MANET characteristics
Innate Immunity Properties
MANET
Characteristics
C1 - openness
C4 - Wireless medium
signalling
Innate
immunity
cells
perform
parallel
computational processing for incoming proteins to
help the human body survive.
C7 - Distributed
computation
C2 - Limited resources
43
3.3
44
Two immune response pathways, PIR and SIR, are conceptually applied in DCFA. In
PIR, the abstract DC model plays the key role with assistance from the T-cells. Whilst
the T-cells abstract model is primarily responsible for the SIR pathway with assistance
from innate immunity. The cooperation between innate and adaptive immunity
subsystems is selectively performed to benefit the advantages of each and achieve the
highest performance possible. Figure 3.1, summarizes the key functions performed by
DCs.
45
parallel to face the invasion of differently structured antigens. Figure 3.2 shows the
main DC inputs and outputs performed in DCFA to detect intrusions. Antigens and
four types of signals are required in the processing stage. The signals are PAMP,
danger, safe and inflammation signals. The input signals differ in strength; for
instance, PAMP signals highly induce the production of IL-12 by DCs, whereas
danger signals lowly increase the production of the same interleukin type. On the other
side, safe signals strongly induce the production of IL-10 by DCs and reduce the
concentration of IL-12. The only task of inflammation signals is to amplify the
concentration of the produced output signals. Unlike the previously introduced DCinspired algorithms in the literature, CSM is not utilized as an output signal. Only IL12 and IL-10 are utilized to distinguish whether the migrated DC is semi-mature or
mature.
46
3.5
Human body tissues release various types of signals that result from antigen effects
and the health state of the tissue cells. DCs process the received antigens and signals.
This function can direct the immune response toward the received and processed
antigens. The different categories of signals are fused and processed to judge the
correlated antigen in the same DC. As can be seen in Figure 3.2, antigens as well as
PAMP, safe, danger and inflammation signals are very important input parameters to
the anomaly detection function of DCs.
3.5.1
Antigens
The combination of signals received by DCs can indicate whether the antigens
processed are malignant or benign. In other words, the received signals clarify the
behavior of the collected antigens (whether normal or abnormal); however, they
cannot determine the identity of the source of these behaviors. Therefore, Antigens are
utilized in a different manner in DCFA compared with signals. Antigens determine the
identity of the source that affects the health state of the tissue either in a normal or
abnormal manner. Artificially, antigens are represented by the received data, which
should be classified based on the existing combination of signals and not on antigen
structure as in the self-nonself discrimination theory.
Sampling multiple antigens with different structures in the same DC based on
multiple signals released from different antigens leads to false positive and false
negative results. In specific, if the concentration of PAMP signals exceeds the
concentration of safe signals, all the sampled antigens in a DC will be considered
malignant even though a few benign antigens, which release safety signals that lead to
false positive results, exist. False negative results would be generated otherwise.
The absence of the relationship between the crime and the identity of the
perpetrator may lead to unjust judgment for innocent people. Similarly, the absence of
the relation between the abnormal behavior and the culprit leads to inaccurate results.
Therefore, the algorithm in Chapter V samples only one antigen in each DC and
processes the signals received by this antigen. In this case, each DC is exposed to the
47
antigens related signals, thereby ensuring that antigens are equally tested and
producing a more robust and accurate IDS system.
3.5.2
Input Signals
48
Exogenous
signal
Indicates the
danger state
Yes
Has
a significant
effect
Yes
PAMP
Danger
No
No
Yes
Safe
No
Yes
No
Yes
49
3.5.3
Output Signals
Two main categories of output signals, namely, IL-10 and IL-12 cytokines, are
included in the DC model utilized in this research as shown in Figures 3.2 and 3.3.
These two signals are produced as a result of processing different types of input
signals by DCs. CSMs is not utilized in our abstraction for several reasons. Firstly,
CSMs in biology involve numerous complicated processes, which could increase the
computation overhead and cause error-prone results. Secondly, CSMs do not affect the
resultant context of the migrating DC. Thirdly, CSMs were utilized in previous studies
as indicators of the amount of produced signals. When the produced signals exceed a
certain threshold, the DCs should stop collecting and processing and migrate to the
adaptive immune subsystem. However, this form of migration dependency is not
employed in the proposed algorithm to avoid the generation of false positive results.
The produced IL-10 or IL-12 with higher concentration can dictate the
differentiation state of DCs. It can also determine the ultimate state of DCs (either
semi-mature or fully mature). When the collection and processing stages are over, the
DCs are obliged to migrate and deliver the results to the T-cells in the adaptive
immunity subsystem. The receipt of IL-10 triggers the T-cells to suppress the immune
response. However, IL-12 is the second signal that activates the T-cells to fight the
presented antigens in the migrating DC. Table 3.3 provides a summary of the main
features of the two output signals.
50
3.6
DC
differentiation
Health state
Signal effect
IL-10
Semi-mature DC
Normality
Suppress T-cells
IL-12
Fully mature DC
Abnormality
Activate T-cells
Negative selection is not applied in DCFA to avoid scaling problem. Only the abstract
functions of T-cells and their differentiation states are utilized. When the primary
immune response is activated, the migrating fully matured DCs meet the naive T-cells
in the lymph nodes. Binding between the DCs and T-cells is considered the first signal
for T-cells through the meeting itself. The second signal released from DCs is either in
the form of IL-12 or IL-10 depending on the previously received DC inputs. In nature,
a signal information fusion processing is performed in a complicated process however,
in this research; the process is abstracted into a simple one with high performance.
The receipt of IL-10 indicates that naive T-cells consider the presented
antigens in the DCs as benign, whereas receipt of IL-12 indicates that naive T-cells
consider the presented antigens as malignant. Another important operation performed
by naive T-cells when they receive IL-12 is differentiation to MT-cells. In DCFA,
MT-cells store the collected malignant antigens to activate a rapid response through
secondary immune response in the future if the antigens appear more than certain
threshold value. Table 3.4 provides a comparison between T-cells and DCs models
which are used in the proposed artificial algorithm.
Table 3.4 A comparison between T-cells and DCs
Cell
type
Input signals
Differentiation
types
Main operation
DCs
PAMPs,
danger and
safe signals
Semi-mature or
fully mature DCs
- Collection and
processing of antigens
and signals
NTcells
ST-cells or
MT-cells
51
3.7
The AODV routing protocol (Perkins et al. 2003; Perkins & Royer 1999) is adopted in
this research. AODV is a reactive, self-starting and large-scale routing protocol. It has
been extensively studied and improved over many years, thereby proving its
robustness and benefits. AODV has been chosen because it is a standard routing
protocol which has been proved and studied by many researchers and has several
advantages: Firstly, connection setup delay with the destination is shorter compared
with other MANET routing protocols. Secondly, congested paths are avoided in
AODV unlike in other ad hoc routing protocols. Thirdly, AODV can cope with rapid
ad hoc topological reconfigurations that may affect other routing protocols (Taneja &
Kush 2010). In addition, AODV has been chosen since it represents a wide category of
MANET routing protocols. This category called Reactive MANET protocols and it
includes DSR, TORA and many other routing protocols. All of these protocols have
similar routing mechanism. Believing that by testing DCFA in AODV, leads to
believing that it is indirectly tested over other reactive MANET protocols. However,
AODV is vulnerable to different types of attacks. The following subsections explain
how AODV is vulnerable to RCA on MANET.
In the route discovery process of AODV routing protocol on MANET, the
source node broadcasts a route request (RREQ) packet throughout the MANET nodes
as shown in Figure 3.4(a) and sets a timer to wait for the reply. The RREQ packet
contains routing information, including the originator IP address, broadcast ID and
destination sequence number. Each intermediate node receives the RREQ packet and
maintains the reverse path to the source node besides performing two processes.
RREQ broadcast conducted through QualNet appears clearly in Figure B.1. Firstly, the
intermediate node verifies if it has received the RREQ packet before with the same
originator IP address and broadcast ID and then decides whether to discard the RREQ
packet or accept it.
This verification process helps prevent flooding attacks. Secondly, if the
RREQ packet is accepted, the intermediate node checks the destination sequence
number stored in its routing table. If the sequence number is greater than or equal to
the one stored in the RREQ packet, the intermediate node uni-casts the route reply
52
(RREP) packet to the source node. If no intermediate node has a fresh enough (fresh
destination sequence number) route to the destination node, the RREQ packet
maintains its navigation until it reaches the destination node, which in turn uni-casts
the RREP packet toward the source node as shown in Figure 3.4(b).
(a)
(b)
Figure 3.4 AODV routing protocol. S: source node, D: destination node, N 1 to N 5
intermediate nodes. (a) Propagation of RREQ packet, (b) Path of the RREP
packet
3.8
RCA (Agrawal et al. 2011; Nadeem & Howarth 2009; D. Wang et al. 2008) is a DoS
attack wherein the attacker exploits the route discovery process in the AODV routing
protocol. RCA has been chosen as an example from a wide range of different types of
flooding-based attacks as the most effective and dangerous attacks over MANET.
Conceptually, flooding-based attacks share the same mechanism of using flooding
technique.
For example, flooding-based attacks includes resource consumption attack
(RCA), hello flood, routing table overflow, routing table poisoning and node
penalizing schemes, each of these attacks uses flooding but with different purposes
from the others. In details, in RCA the attacker uses flooding mechanism to exhaust
the network resources, however, in routing table overflow the attacker uses flooding to
overflow the routing table with stale routes and causing routing failure. Therefore, we
expect that if DCFA has succeeded to detect RCA, it will do same to detect other
flooding-based attacks.
53
In RCA, The attacker continues to broadcast the RREQ packet with a different
broadcast ID to continuously notify each node and consume its limited resource of
energy, bandwidth and memory (Figure 3.5(a)). The attacker does not follow the
AODV rules. It does not set a timer to wait for a reply but continues to flood the
network with RREQ packets as shown in Figure 3.5(b). If destination node D
represents a server, then its service could be isolated by attacker A. MANET is very
vulnerable to this type of attack because its limited bandwidth capacity simplifies the
overflowing of the link very easily and quickly. Congested links become jammed
when MANET links are over flown with malicious packets, thereby interrupting the
accessing services of the available servers in the network.
(a)
(b)
Figure 3.5 RCA. S: source node, D: destination node, A: attacker, N 1 to N 5
intermediate nodes. (a) RREQ continuously broadcasted by RCA, (b)
RREQ packets flooded by RCA
3.9
As shown in Figure 3.6, the fuzzy logic mechanism generally consists of four blocks,
namely, fuzzification, fuzzy rules, fuzzy inference and defuzzification (Cox 1992).
During fuzzification stage, crisp (actual) input parameters , where the set of
possible input parameters is fuzzified into fuzzy linguistic parameters by applying
corresponding membership functions; fuzzy input sets are then obtained. Zadeh
defines linguistic parameters as parameters whose values are not numbers but
words or sentences in a natural or artificial language (Kapitanova et al. 2011;
Zadeh 1973). An input parameter can be associated with one or more fuzzy sets
depending on the calculated membership degrees.
54
FUZZIFICATION
During fuzzification, the crisp (actual) value is converted into degrees of membership;
input fuzzy sets are obtained by applying corresponding membership functions. A
membership function is a curve that determines the certainty with which a crisp value
is associated with a specific linguistic value. Figure 3.7 shows an example of a
temperature membership function, where a parameter named x is supposed to
represent the value of temperature. x space can be divided into a range of fuzzy sets
using triangular membership functions, such as freezing and cool. With this scheme, x
no longer jumps abruptly from one fuzzy set to the next. Instead, x loses value in one
membership function and gains value in the next as it changes. If x = -5, then x is
freezing, which has membership value of 0.75 and x is cool, which has a membership
value of 0.25. In other words, x = -5 is mapped into a pair of membership values (0.75,
0.25). Membership functions can have different shapes. Some of the most frequently
used shapes include triangular, Z-shape, S-shape, trapezoidal and Gaussian-shape.
Membership functions are defined either by relying on domain knowledge or through
the application of different learning techniques, such as neural networks (Horikawa et
55
al. 1992; Jang 1992) and genetic algorithms (Arslan & Kaya 2001). A triangular
membership function is specified by three parameters (a, b, c) as follows:
Triangular MF (x; a, b, c) =
xa
ba , <
cx
cb , b x c
0,
(3.1)
where a, b and c are the corner points defining the triangular membership function.
These points can be adjusted to fit the desired membership function data.
(3.2)
where x is the input parameter, y is the output parameter, A is the fuzzy sets of the
input and B is the fuzzy sets of the output. Fuzzy inference is the process of
mapping from given input fuzzy sets to output fuzzy sets through fuzzy rules.
Fuzzy inference evaluates the fuzzy rules first and then determines their firing
56
strength. Mamdanis method (Mamdani & Assilian 1975) is one of the most
common and efficient methods utilized to define the firing strength of a rule. In
Mamdanis method, the firing strength of a rule is provided by the firing strength
generated by its antecedent. For example, given the following rules that involve
input parameter x.
R 1 : IF x is freezing, THEN y is freezing.
R 2 : IF x is cool, THEN y is cool.
The firing strength of the rule is simply the firing strength of the IF
part. Supposing that x = -5, then the firing strengths of rules R 1 and R 2 are 0.75
and 0.25, respectively (Figure 3.9).
3.9.3 DEFUZZIFICATION
Determining the firing strengths of fuzzy rules generates multiple fuzzy output sets
that represent modified membership functions. In the defuzzification stage, all
fuzzy output sets aggregate into a single fuzzy set. The single fuzzy set transforms
once again into a crisp output number. Such a number corresponds to a control
action in control applications. The most commonly utilized defuzzification
methods are centroid weighted average, center of singleton and maximum method
(Klir & Yuan 1995). The most frequently utilized and more computationally
efficient defuzzification method is centroid weighted average (Bas & Neira 2003). In
this method, the crisp value of the output parameter is computed by the weighted
average of each output of the set of rules. The output is the x -coordinate of the
centroid. Centroid defuzzification method can be expressed as:
Crispoutput = (nf=1 f wf )(nf=1 f )
(3.3)
57
58
signal values should be represented within fuzzy input sets. These input sets have a
certain proportion of belongingness to predefined input parameters. Such proportion of
belongingness is called fire strength. If the input signal is released by the RREQ
packet, the parameter would be defined as safe, low PAMP and high PAMP. If the
input signal is released by the unhealthy connection state between a node and its
neighbors, the parameter would be defined as low danger and high danger. Parameters
are represented by input membership functions. Three function shapes, namely,
triangular, Z-shape and S-shape, are utilized to represent input membership functions.
A set of rules is defined in inference stage according to the strength of each
signal category to map the fuzzy input sets to fuzzy output sets, which are represented
by output membership functions. Mamdani's method is employed as the main
technique in this mapping. DCFA defines two output membership functions, IL-12 and
IL-10 and the interference region between them to produce an accurate result. Centroid
equation is applied in defuzzification stage to aggregate the resultant output
membership functions and produce an accurate value. This accurate value is utilized as
the fuzzy threshold value that determines the effect of the input signal (causes
differentiation to semi-mature or fully mature DC).
3.10
SIMULATION ENVIRONMENT
This section explains the environment where the experimental simulations are
performed. Specifically, the simulation parameters and main performance metrics
utilized are discussed.
3.10.1 SIMULATION PARAMETERS
The experiments are conducted using the QualNet version 5.0.2 scalable simulator
developed by Scalable Network Technologies (Simulator). The data points presented
in the experimental results are calculated as the average of five simulation runs to
eliminate the effect of any anomalous individual result. This approach is adopted
because of an observed realistic variance among the points in five or more simulation
runs. Table 3.5 lists the fixed values of the parameters employed in all the
59
Value
1500 m 1500 m
Node speed
08 m/s
Bandwidth
11 mbps
Packet size
MAC protocol
802.11
Mobility model
Antenna model
Omnidirectional
Two ray
60
Explanation
False positive
(FP)
False negative
(FN)
True positive
(TP)
True negative
(TN)
Accuracy
Equation
+
+ + +
On the other hand, four main network performance metrics are examined,
namely, throughput, end-to-end delay, routing overhead and total energy consumption.
Throughput is the number of bits received on the destination per unit of time. It
represents the average of the throughput values for destinations in each experimental
result. End-to-end delay is the duration between the time at which the first bit of a
packet is sent from the source node side and the time at which the last bit of the same
packet is received on the destination side. The average of this duration for destinations
is recorded in each experiment.
Total routing overhead represents the two main AODV parameters that are
visibly affected by RCA. The effect increases the routing overhead. The first
parameter is the total number of retried RREQ packets in each experiment, which
measures the frequency of source node failure to establish its route to the destination.
The second parameter is the total number of RREP initiated, which indicates the
number of RREP packets unnecessarily initiated under the RCA problem. In our
experiments, the total energy consumed from the battery of the nodes is measured by
mjoule 1. Energy saving is a significant topic in MANET considering that the amount
of energy in the nodes batteries is finite. A node consumes its battery energy in three
main states: transmission, receiving and idle modes. Therefore, the total number of bits
that can be sent is equal to the nodes battery energy divided by the energy required by
each sent bit.
1
The unit of energy is joule. mjoule is millijoule, which is equal to 110-3 joule.
61
Figure 3.8 depicts the architecture of a general wireless radio energy model
(transceiver). Equation 3.4 represents the total energy required to send k bits. P on ,
P sp , P tr and P idle in the equation represent the power consumed values in active, sleep,
transient and idle modes, respectively. However, T on , T sp , T tr and T idle are the time
durations of the active, sleep, transient and idle modes, respectively. Equation 3.4
calculates total energy by multiplying the power consumed in each state with the time
duration at that state because power is measured in watts and each watt represents the
flow of one joule per second.
Figure 3.8 Radio energy dissipation model (transceiver). (a) Transmitter, (b) Receiver
(Cui et al. 2005; Simulator)
= P on .T on + P sp . T sp + P tr . T tr + P idle . T idle
(3.4)
As indicated by the wireless energy transceiver, the active mode reflects the
state of sending or receiving packets. Cui et al. (Cui et al. 2005) reported that the
power consumed in sleep mode is very low compared with that in active mode; hence,
they assigned a default value of zero to P sp. The power consumed in transient mode is
that required by the frequency synthesizers in the transceiver. Frequency synthesizers
are circuits that create frequency to turn on other circuits. T tr reflects the time duration
from the moment the frequency synthesizers start up until the moment they settle
down; T tr has a negligible value. Given that the frequency synthesizers start up only
once, P tr also has a negligible value.
The power consumed in idle mode (P idle ) is that required by the node to keep
listening for the wireless channel, especially in MANET. The mobile nodes do not
perform actual receiving but are almost always notified by the wireless channel; this
process consumes a considerable amount of energy. Hence, the power consumed in
idle mode is valuable to be investigated. The energy consumed in transmit mode E 1 ,
62
receive mode E 2 and idle mode E 3 is calculated with Equations 3.6, 3.7 and 3.8,
respectively.
= P transmit .T transmit + P receive .T receive + P idle . T idle
(3.5)
E 1= P transmit .T transmit
(3.6)
E 2= P receive .T receive
(3.7)
E 3= P idle .T idle
(3.8)
63
ii.
iii.
iv.
v.
64
broadcast by AODV, RREQ broadcast by attackers with radio range 200m and
RREQ broadcast by attackers with radio range 400m. Monitoring the events
through the GUI animation confirms processing these events through DCFA
model code.
vi.
3.11
SUMMARY
The abstraction of the DC model and T-cells model and their interaction are clarified
in this chapter. This chapter shows that biological models would be effective in
building IDSs only if certain concepts and functions are carefully selected without
burdening the system with extra overhead. For example, signals and antigens in
biology interact with each other in a very complex manner. Such complexity should
not be transferred to the computational system if one wishes to obtain benefits from a
certain function of that interaction.
Also, the representation of CSMs is considered useless because DCFA does
not depend on the magnitude of CSMs in DC migration. Hence this type of output
signals is neglected. Furthermore, the processing of antigens and signals in DCs,
which remains insufficiently described in biology, is implemented with accurate fuzzy
logic theory to avoid false positive or false negative rates in the detection results.
65
66
CHAPTER IV
4.1
INTRODUCTION
All MANET routing protocols can be easily attacked if an attacker identifies the
targeted points of vulnerability of the network protocols. Many intrusion detection
mechanisms have been introduced to protect the routing schemes in MANETs. For
example, SEAD was introduced to protect the DSDV routing protocol. Security ad hoc
on-demand distance vector (SAODV) protocol was designed as an extension to protect
the AODV routing protocol. Ariadne was proposed to secure the routing functions in
DSR routing protocol. Numerous other security measures over network layers have
been put forward, including secure routing protocol.
Securing routing schemes in MANET has been considered a crucial research
issue. Attackers can easily eavesdrop on communications between nodes because of
the wireless medium used. The limited bandwidth of MANET renders its nodes
vulnerable to isolation and its links susceptible to frequent break. In addition, the lack
of centralized authorization and security cooperation simplifies the process of
individual attacks on each part of an entire network. Consequently, MANET is
subjected to many types of attacks. Flooding-based attacks are some of the most well
known because these are dangerous and effective. The types of such attacks are, hello
flood attack, routing table overflow, exploiting node penalizing schemes and RCA.
These
attacks
are
explained
in
subsection
2.3.3.nnnnnnnnnnnnnnnnnnnnn
67
68
EXPERIMENTAL DESIGN
This chapter derives the simulation results by conducting two main scenarios:
scenario A and scenario B. In both scenarios 100 nodes are run during 200s simulation
time. However, each scenario applies its experiments by varying a combination of two
factors. Scenario A studies the effect of different positions of RCA attackers (e.g.,
near-source, near-destination and random), with varying numbers of attackers (2, 4, 6,
8 and 10) in each position factor. This experimental scenario retains an RREQ
flooding rate of 10 RREQs/s. Also, the radio range of all the attackers is 250 m,
identical to that of legitimate nodes. Figure in Appendix B shows the random
distribution of attackers applied in QualNet.
Scenario B involves varying the flooding RREQ rate factor by 10, 20 and
30 RREQs/s, including the RREQ packet header. Each of these flooding rates is
applied in parallel with different attacker transmission ranges (200, 250, 300, 350 and
400 m). Scenario B maintains the application of 4 attackers, which are randomly
located in each experiment. RCA attackers initiate flooding against two separate CBR
connections. The two connections differ from each other in terms of their connection
time. The first connection, CBR-1, is initiated from the beginning of the simulation
until the end, whereas the second connection, CBR-2, begins after 100 s and continues
until the end of the simulation. The attackers start flooding at 2 s into the simulation
until the end. A traffic load of 1 RREQ/s in each connection is used, which helps
69
clarify the effect of high traffic loads caused by RCA. Table 3.5 lists the other fixed
parameters used in all the experiments. Figures in Appendix B show the difference
between applying attackers with radio range 200m and 400m, respectively in QualNet.
4.3
This section presents the effects of varying the number of attackers and their positions
on throughput, end-to-end delay, energy consumption and routing overhead metrics. In
the near-source position, the attackers (A1, A2) are located either one or two hops
from the source node(s) as shown in Figure 4.1(a). The same is depicted on Figure
4.1(b) for the near-destination node (D) position. In the random position, however, the
attackers are spread along the path between the source and destination nodes as shown
in Figure 4.1(c). In this position, the attackers target the source node, destination and
intermediate nodes in their routes.
(a)
(b)
(c)
Figure 4.1 Distribution of RCA attackers with different positions. (a) Attackers A1
and A2 are one hop and two hops away from source S, respectively, (b)
Attackers A1 and A2 are two hops and one hop away from destination D,
respectively, (c) Attackers A1 and A2 are randomly located along the path
between source S and destination D
70
4.3.1
71
(a)
(b)
Figure 4.2 Effect of the number of attackers and their positions on throughput. (a)
varying the number of attackers, (b) the average of throughput
The random attackers exhibit effects that fall between those of near-source and
near-destination attackers, but the former outperforms the last two attackers when they
are 8 or more. Figure 4.3(a) compares the effect of different attack positions on end-toend delay, in which the number of attackers is varied. The near-source position has the
highest effect on end-to-end delay in all the scenarios. Using 10 near-source attackers
increase delay by around 94.2% relative to the normal scenario. In addition, using 10
random and 10 near-destination positions increase delay by 90.5% and 89.1%,
respectively.
Figure 4.3(b) confirms that the near-source attackers outperform the others in
terms of the attack positions. If the attackers surround the source node and flood the
RREQ packets toward its link, this situation is sufficient to cause link jamming. The
flooded RREQ packets compete with the sources data packets on the link, indicating
that each bit of the waiting data packet is accorded a low possibility of being placed on
the link. Moreover, RCA creates enough jamming to suppress the transmission of data
packets from the source by dropping the packets, thereby retransmitting lost packets
and increasing delay.
72
(a)
(b)
Figure 4.3 Effect of the number of attackers and their positions on end-to-end delay.
(a) varying the number of attackers, (b) the average of end-to-end delay
4.3.2
In Figures 4.4(a), 4.4(b) and 4.4(c), the effects of increasing the number of attackers
exhibit the same pattern (increasing or decreasing) across the three positions. The
energy consumed in receive mode continuously increases as the number of attackers
increases. However, the energy consumed in transmit mode only slightly and slowly
increases. This result indicates the success of RCA to impose the legitimate nodes
upon receiving high rate of bogus RREQ packets and its success in suppressing these
nodes from transmitting their data packets.
Conversely, the energy consumed in idle mode decreases as the number of
attackers increases, indicating that the legitimate nodes, which are classified in the
normal scenario as listeners have been assigned as destinations by RCA. The nearsource and random attackers increase the energy consumption of the legitimate nodes
in receive mode with the same percentage (about 97.6%). The near-destination
attackers increase energy consumption by 96.44%.
Figure 4.5(a) depicts the total energy consumed by all the simulated legitimate
nodes. The total energy in each attack position is calculated using Equation 3.5. As
73
shown in Figure 4.5(a), 10 random attackers increase the total energy consumed by the
legitimate nodes by 73.5% over that consumed in the normal scenario; 10 near-source
attackers and 10 near-destination attackers cause legitimate nodes to consume energy
that is respectively 72.7% and 63.6% higher than that consumed in the normal
scenario. The general effect of each attack position in Figure 4.5(b) also confirms that
from an attack perspective, the random attackers outperform the other two.
(a)
(b)
(c)
Figure 4.4 Effect of the number of attackers on the energy consumed in each mode.
(a) near source attackers, (b) near destination attackers, (c) random
attackers
74
(a)
(b)
Figure 4.5 Effect of the number of attackers and their positions on total energy
consumed. (a) varying the number of attackers, (b) the average of total
energy consumed
4.3.3
75
may interrupt any packet from being delivered to a destination because the congested
links cause packet collision and increase the possibility of packet delay and dropping.
The 10 near-destination attackers increase the number of retried RREQs by 85.7%.
The 10 random attackers are slightly less effective than the near-destination attackers;
they increase the number of retried RREQs by 83.7%. By contrast, the 10 near-source
attackers increase the RREQ overhead only by 60.7%.
(a)
(b)
Figure 4.6 Effect of the number of attackers and their positions on the retried RREQs.
(a) varying the number of attackers, (b) the average of retried RREQs
As indicated by the simulation experiments, the increase in the number of
RREPs is initiated by the destination and intermediate nodes. In Figure 4.7(a), all the
attackers in different positions overload the network with more RREPs as the number
of attackers increases. The 10 near-source, near-destination and random attackers
achieve the highest overloads of about 99.94%, 99.93% and 99.92%, respectively. The
percentages do not significantly differ because of the considerable RREP overhead
created by RCA. Figure 4.7(b) indicates that the average effects of the near-source
attackers under all attacker numbers overload the network with more unnecessary
RREP packets than that observed in near-destination and random attackers. The RREP
is regarded here as unnecessary; because they are created by the legitimate nodes as a
response to RCA attackers and not to the RREQs of the legitimate source nodes.
76
(a)
(b)
Figure 4.7 Effect of the number of attackers and their positions on the initiated RREPs.
(a) varying the number of attackers, (b) the average of initiated RREPs
4.4
This section examines the effect of varying the attackers radio range and flooding
rates under the same network performance metrics discussed in section 4.3. Increasing
the radio range involves increasing the attackers legitimate neighbors, the number of
RCA victims and the area affected by the attack. The effects of such specifications are
depicted by the shaded circles in Figure 4.8. The circles represent attacker A, and
radio ranges. Increasing the flooding rate accelerates congestion creation, which
rapidly degrade the network performance.
Figure 4.8 Effect of increasing attackers radio ranges: radio range > radio range
> A radio range
77
4.4.1
As seen in Figures 4.9 and 4.10, at a flooding rate of 10 RREQs/s, increasing the radio
range slightly degrades network throughput and slightly increases end-to-end delay.
Conversely, at a flooding rate of 20 RREQs/s, RCA attackers strongly affect
throughput and end-to-end delay beginning at a radio range of 350 m and higher. Also,
at the same flooding rate, the RCA attackers prevent CBR-2 from being established
starting at a radio range of 350 m. In addition, the attackers effectively break down
both CBR-1 and CBR-2 at a radio range of 400 m. At a flooding rate of 30 RREQs/s,
however, RCA dramatically and rapidly affects the network performance metrics.
Specifically, when RCA deploys attackers at a flooding rate of 30 RREQS/s, they
isolate the source node from the destination node in one of the experiment connections
at a 300 m radio range. The attackers also break the CBR connections at a radio range
of 350 m and above because they can suppress numerous legitimate nodes. This
suppression is achieved by the flooding effect as the attackers expand radio range.
Thus, wider areas of congested links that cause packet dropping and delay are created.
It is clear from Figures 4.9 and 4.10 that RCA with flooding rate 30 has the highest
effect on both throughput and end-to-end delay.
(a)
(b)
Figure 4.9 Effect of the attackers radio range and flooding rate on throughput. (a)
varying the radio range of attackers, (b) the average of throughput
78
Figure 4.10 Effect of the attackers radio range and flooding rate on end-to-end delay
4.4.2
Figures 4.11(a), 4.11(b) and 4.11(c) depict the energy consumption of the legitimate
nodes in transmit, receive and idle modes. The energy consumed in receives mode
increases as the radio range at all flooding rates increases. At a flooding rate of 10
RREQs/s, Figure 4.11(a) illustrates that the energy consumed in receive mode exceeds
100 mjoules at a 400 m radio range. Whereas at a flooding rate of 20 RREQs/s (Figure
4.11(b)), the energy consumed in receive mode exceeds 200 mjoules at a 400 m radio
range. In contrast, at a 30 RREQs/s flooding rate (Figure 4.11(c)), the attackers cause
the legitimate nodes to consume more than 200 mjoule at a radio range of 250 m and
above. This result indicates the success of RCA in suppressing the legitimate nodes,
thereby enabling the receipt of numerous bogus packets.
At all flooding rates (Figures 4.11(a), 4.11(b) and 4.11(c)), the energy
consumed in transmit mode only slightly increases because of the jamming links
created by the RCA attackers. The continuous decrease in the energy consumed in idle
mode is compatible with the continuous increase in the energy consumed in receive
mode. That is, when RCA successfully suppress the legitimate nodes to receive bogus
packets, it consistently prevents the nodes from being silent or idle.
79
The total energy consumed by the legitimate nodes in all modes at varying
flooding rates is shown in Figure 4.12, which compare the energy use at 30 RREQs/s
with that at 20 and 10 RREQs/s flooding rates. Applying a 30 RREQs/s flooding rate
at a 400 m radio range is useless; because using flooding rate at 20 RREQs/s with the
same radio range achieve about the same effect. However, the performance at a 30
RREQs/s flooding rate ranks is higher than that at a 20 RREQs/s flooding rate in all
radio ranges less than 400 m.
(a)
(b)
(c)
Figure 4.11 Effect of the attackers radio range and flooding rate on energy
consumption in each mode. (a) 10 RREQs/s, (b) 20 RREQs/s, (c) 30
RREQs/s
80
(a)
(b)
Figure 4.12 Effect of the attackers radio range and flooding rate on total energy
consumed. (a) varying radio range, (b) the average of total energy
consumed
4.4.3
81
by destination and intermediate nodes depends primarily on a high flood rate of bogus
RREQs. Whereas expanding radio range increases the number of affected destinations
and intermediate nodes only.
(a)
(b)
Figure 4.13 Effect of the attackers radio range and flooding rate on the retried
RREQs. (a) varying radio range, (b) the average of retried RREQs
(a)
(b)
Figure 4.14 Effect of the attackers radio range and flooding rate on the initiated
RREPs. (a) varying radio range, (b) the average of initiated RREPs
4.5
SUMMARY
82
can cover. Our simulation results confirm that the effects of the attacks increase as the
number of attackers increases.
In most experimental results, the average effect of the attackers positions in all
scenarios of attacker numbers differs from that observed when the effects of specific
attack positions with respect to a certain number of attackers are considered. For
example, the average effect of near-destination attackers is higher than those of other
attackers positions in terms of decreasing network throughput and overloading
network links with additional retried RREQs. However, the 10 random attackers
achieve greater degradation of node throughput than do the 10 near-destination
attackers. The near-source attackers surpass the attackers in other positions, strongly
increasing end-to-end delay and the RREPs initiated from both the destination and
intermediate nodes. Nevertheless, the near-source attackers exhibit the lowest
efficiency in terms of the amount of energy needed to perform attack.
Clarifying the flooding rates and radio range factors shows that the average
effect of 30 RREQs/s is the highest among almost all the performance metrics, even if
this range is taken solely or with respect to the radio range used. For example, by
using a 30 RREQs/s flooding rate, RCA attackers can decrease throughput to zero
beginning at a 350 m radio range. The same effect can be achieved when using a
flooding rate of 20 RREQs/s only if the attackers use a 400 m radio range. According
to our simulation environment, if the attackers want to strongly affect certain metrics
(such as throughput, end-to-end delay, total energy consumed and retried RREQs),
applying a 350 m radio range in addition to a 30 RREQs/s flooding rate, is sufficient.
Our research, extensively, investigates the effects of flooding-based attacks given that
it considers four different factors that affect various types of network performance
metrics.
83
CHAPTER V
5.1
INTRODUCTION
The proposed DCFA is mainly based on two computational intelligent theories: danger
theory in artificial immune systems and fuzzy logic theory. The key stages in the life
of DCs in innate immunity and their interactions with T-cells in adaptive immunity are
applied in abstract as shown and explained in Figure 3.1. These main stages are
combined with the functionality of fuzzy logic theory to produce a final intrusion
detection decision regarding the input routing packet. A general description of DCFA
is introduced in this chapter to make the proposed algorithm useful for computer
scientists and researchers. Such description must be applied in the network layer of the
open systems interconnection (OSI) model. The DCFA components and the
interactions between these components are elaborated and illustrated. The interactions
between the DCFA interface component and the outer routing protocol are also clearly
presented. Furthermore, the details of each DCFA component input parameters and
output results are explained.
This chapter also reveals how DCFA applies fuzzy logic theory to obtain an
accurate result of the input antigen context. Although DCFA is proposed in this
research as a general intrusion detection algorithm meant to detect many types of
attacks, this chapter introduces specifications of the input parameters and their
membership functions in the fuzzy logic system to detect RCA.
84
The specification in this portion of the algorithm aims to determine how DCFA
can feasibly apply fuzzy logic theory to detect routing attacks.
5.2
DCFA is developed to serve as a monitoring point for checking certain routing packet
types such as RREQ, RREP or Hello packets, depending on the type of attack, before
proceeding to packet handling by routing protocol. For example, in the case of RCA
detection, the RREQ packet is mainly utilized by the attacker to flood the network and
degrade its performance. Therefore, any node in the network should verify the
received RREQ before handling the request. Similarly, if a Hello flood attack is
detected, Hello packets should be tested by DCFA before any response is generated by
the routing protocol. DCFA determines the context of the input routing packet, either
if it is normal packet or anomalous. DCFA is an algorithm designed to be applied in
each node of the network to perform local intrusion detection. The aim of this design
is to suppress the attack when it reaches the nearest legitimate node. Also, local
intrusion detection performed by DCFA is feasible for mobile wireless networks, such
as MANET and suitable to its main characteristics.
Figure 5.1 shows the proposed model for DCFA intrusion detection algorithm.
The figure illustrates the main processes of DCFA and the paths of these processes.
Table 5.1 summarizes each component function in DCFA. The DCFA model
represents DCFA Pseudocode of Algorithm 1 and Algorithm 2. It comprises three
main units, namely, security monitor, innate immunity and adaptive immunity. Each
unit comprises a set of components that interact with one another and connect with
certain other components in outer units. Each unit is also responsible for applying a
primary function in the intrusion detection operation. Specifically, security monitor
unit is comprised of an interface unit and a central management point between innate
and adaptive immunity on one side and between both units and the routing protocol on
another side. Innate immunity unit performs PIR (Algorithm 2) and adaptive immunity
85
performs SIR (Algorithm 1). Each unit component with its input(s) and output(s) is
explained to elaborate the main processes of DCFA.
86
Function
Antigens Controller
Antigens Verifier
Genes Store
MT-Cells
ST-Cells
The security monitor contains three main components: routing packet queue,
antigens controller and antigens verifier. Routing packet queue performs three main
processes: receive input packets from the routing protocol, store the input packets in a
first-in-first-out manner and send a packet from the front of the queue to be handled by
the antigen controller when requested. DCFA is developed to receive different routing
packets from different source nodes and to recognize which of these nodes are
attacker(s). For the first glance, it seems difficult to detect attacker identity from a
stream of fusible information represented in packets of different IP source addresses
and different behaviors of each packet.
This is because if a group of anomalous and normal packets arrives at the
legitimate nodes queue at the same period of detection time, in this case, the intrusion
87
detection system may wrongly associate the behavior of anomalous packets to one or
more normal packets and/or vice versa.
Input: Input packets and its correlated effects
Output: antigen with context
88
DCFA. It controls the receipt and delivery of inputs and outputs from the DCFA and
to the routing protocol, respectively. It also controls the units that should be activated
to detect a certain input packets antigen.
In deep, when the antigens controller receives an input packet from the routing
packet queue, it immediately extracts an antigen from that packet. Each extracted
antigen represents the packets unique source IP address. Afterward, the antigen
controller checks whether the antigen is available in the total genes list (TGList).
TGList is a list of different genes in the genes store component. As depicted in Figure
5.2, each gene is represented in a sub-list from the TGList and defined as GList. Each
GList comprises one antigen (a i ) and a number of related signals (s j ). The number of
antigens in TGList equals I and the number of signals per GList equals J. The number
of antigens in TGList always equals the number of correlated genes in the same list
(i.e., a 0 = Gene 0 ). However, the signals in each gene are computed from a number of
effects generated from the antigens packet. This environment reflects that of the
human body tissue in which DCs navigate to collect the antigens and signals for
detection operation.
89
total number of malignant antigens and profiles in MTList. Each profile contains a
malignant antigen and its correlated existence counter: malignant antigen counter
(mac). This counter computes how many times the antigen is detected and seen in the
DCFA as malignant. If the antigens verifier finds an antigen correlated counter greater
than a certain threshold (t) in MTList, then the input antigen will be considered
malignant and will be represented by a context equal to 1.
Consequently, the correlated routing packet will be considered an anomalous
packet. The routing protocol then drops the packet and does not respond to its source
node. Otherwise, PIR should be followed to activate anomaly detection by DCs for the
input antigen. The previous discussion indicates that PIR is activated only in two
cases. The first case is when the input antigen is not found in the MT-cells. The second
case is when the input antigen is found, but its existence counter is less than a certain
threshold.
90
collection stage is notified to collect the newly formulated gene. Fuzzy logic theory is
then applied by DC to process the input signals in the collected gene list. The output of
the fuzzy system is provided in a crisp value. If this value exceeds a certain fuzzy
threshold, then the antigen is malignant and its context is equal to 1; otherwise, the
antigen is considered benign and its context is 0.
In DCFA, if the antigen's context is 0, this causes the immature DC to be
differentiated to semi-mature DC. However, if the context of the antigen is 1, then the
DC will differentiate to mature DC. In both cases, after maturation, the DC should
migrate immediately to the lymph node in adaptive immunity to control the immunity
response of NT-cell from the NT-Cells component. In the first case, DC will stimulate
the NT-cell to differentiate to ST-cell; this differentiation is translated in DCFA by
notifying ST-Cells to check whether a benign antigen exists in MT-Cells and
decrement the mac if so.
The NT-cell differentiates to MT-cell in MT-Cells component in the second
case; this differentiation is reflected by initializing a new profile for the antigen and its
mac if the antigen is seen for the first time or by incrementing mac if it is seen more
than once. In both cases, the stimulated NT-cell returns the antigens context to the
antigens controller in the security monitor unit. Consequently, antigens controller
returns the results (either 1 or 0) to the routing protocol intended to be secured by
DCFA. A result of 1 should be understood by the routing protocol as the existence of
an attack caused by the antigens packet and vice versa if the result is 0.
91
initialize DC;
call fuzzy logic system;
if fuzzy output > fuzzy threshold, then
antigen context is 1;
if antigen is not found in MTList
add antigen to MTList;
create antigen counter;
antigen counter equals 1;
else
increment antigens counter;
end
else
antigen context is 0;
if antigen is found in MTList
decrement antigen counter
end
end
Algorithm 2. PIR Pseudocode
5.3
DCFA PARTICULARS
DCFA specifications
92
Input: P and E
Output: c(a i )
while RPQ != NULL do
update P, E;
foundTGList = foundMTList = false;
initialize parameters {I, J, N};
extract a i ;
while i <= I do
search a i in TGList;
if foundTGList = true, then
while n <= N do
search a i in MTList;
if foundMTList = true, then
if mac n >= t, then
c(a i ) = 1;
mac n ++;
return c(a i ) to AC;
else
while j < J do
s ij = o ij (e j );
store s ij ; // overwrite the old value in GList iJ
j++;
end
c(a i ) = PIR;
return c(a i ) to AC;
end
else
n = n +1;
end
end
else
i = i + j + 1;
end
end
if foundTGList = false, then
initialize GList iJ ;
while j <= J do
s ij = o ij (e j );
store s ij ; // overwrite the old value in GList iJ
j++;
end
append GList iJ ;
c(a i ) = PIR;
return c(a i ) to AC;
end
end
93
94
Indices:
i = 0, , I the index of antigens, input sets signals (S i ), DCs, genes and GLists.
j = 0, , J the index of packets effects and input signals per GList.
n = 0, , N the index of malignant antigens, malignant antigen counters and
malignant antigen profiles in MT-cells list.
Table 5.2 DCFA data structure
Data Structure
Description
and Parameters
Memory T-cells list; list of malignant antigen profiles MT-cells as
MTList
pictured in Figure 5.3.
Malignant antigen profile list; the sub-list of MTList that represents
MAPList n
profile n .
mac n
Malignant antigens counter in MAPList n .
foundMTList Found in MTList.
t
The threshold of antigen existence in MTList.
TGList
Total genes list.
foundTGList Found in TGList.
P
Input packet.
ej
Input packets effect number j.
E
Set of packets effects, E= {e j , e (j+1) ,. , e J }.
ai
Input antigen i.
A
Set of extracted input antigens, {a i , a i+1 ,. ,a I}.
c(a i )
Context of a i .
s ij
Computed input signal j correlated with a i .
Set of a i computed input signals, {s ij , s i(j+1) ,. , s iJ }; TGList in this case
Si
is graphically shown in Figure 5.4.
o ij (e j )
Output of e j equals s ij .
g iJ
A gene that contains antigen a i and J signals.
G
Set of genes, {g iJ , g (i+1)J ,. , g IJ }.
GList iJ
A sub-list that represents g iJ in TGList.
DC iJ
A dendritic cell that samples g iJ .
FLS(S i )
Fuzzy logic system output of input S i .
tf
Fuzzy threshold.
The same indexing value i should be assigned to a i , S i , g iJ , DC iJ and GList iJ .
This association allows DCFA to prepare correct information on each antigen behavior
for correct intrusion detection judgment. The same explanation applies to the use of j
and n to index certain correlated entities for the achievement of accurate results.
95
5.3.2
This section clarifies how fuzzy logic theory is applied in Chapter VI to detect
flooding-based attacks. As depicted abstractly in Figure 5.5, S i represents a complete
crisp input in the fuzzy logic system. FLS(S i ) represents the output signal of
processing input set signals S i and t f determines the type of output signal from
FLS(S i ). Particularly, if FLS(S i ) is greater than t f , then FLS(S i ) stands for IL-12
signal. This signal indicates the maturation of DC iJ to mature DC. Otherwise, FLS(S i )
represents IL-10 signal, which points to producing semi-mature DC.
Input signals
Fuzzification
(Si)
Fuzzy Inference
Fuzzy
Rules
Output signal
Defuzzification
(FLS(Si))
96
The details of applying the fuzzy logic system components in Figure 5.5 are
illustrated below.
I.
Fuzzification Stage
97
safe (x; 0, 1) =
1,
1 2(x)2 ,
2(1 x)2 ,
0,
<0
1
2
1
<1
2
>1
x
03
,
3
low PAMP (x; 0, 3, 7) = 7 x
3<x7
4 ,
0,
1,
>6
2
x
9
2 6 ,
3x
3
2
high PAMP (x; 3, 6) =
2
x3
9
1 2
,
<6
3
2
0,
<3
(5.1)
(5.2)
(5.3)
The second variable, s 2 , comprises two fuzzy input sets: low-danger and high-
danger, which are represented by z-shaped and s-shaped input membership functions,
respectively. The specifications of the z-shaped and s-shaped functions are shown in
98
Formulas 5.4 and 5.5, respectively. Table 5.4 and Figure 5.7 show the assignment of
range and degree of membership functions for input variable s 2 . Similar to s 1 , s 2 may
have a membership function degree from low-danger and high-danger or one of them
only.
Table 5.4 Fuzzy sets of input variable s 2
s 1 parameters
Fuzzy sets
[0, 5]
low-danger
[1, 6]
high-danger
x 2
1 2 ,
5
low danger (x; 0, 5) =
2
x
2 ,
0,
<0
5
2
(5.4)
5
<5
2
>5
1,
>6
2
x
7
2 6 ,
1x
5
2
high danger (x; 1, 6) =
2
x1
7
1 2
,
<6
5
2
0,
<1
(5.5)
99
II.
Defuzzification Stage
The fuzzy sets for the FLS(S i ) output variable are IL-10 and IL-12. Table 5.5 and
Figure 5.8 show the assignment of range and membership functions for output FLS(S i )
variable, respectively. As depicted from Figure 5.8, t f equals 6, which represents the
midpoint of the overlapped area between IL-10 and IL-12 output membership
functions. Based on Algorithms 2 and 4, if FLS(S i ) equals 4, this implies that the
output signal is IL-10. However, if FLS(S i ) equals 6.6, this implies that the output
signal is IL-12. However, this result is concluded only after the aggregation function
of the produced output sets has been performed.
Table 5.5 Fuzzy sets of FLS(S i ) output variable
FLS(S i ) parameters
Fuzzy sets
[0, 4, 7]
IL-10
[5, 8, 12]
IL-12
Formulas 5.6 and 5.7 represent membership functions for IL-10 and IL-12 output
fuzzy sets, respectively.
x
04
,
4
IL 10 (x; 0, 4, 7) = 7 x
4<7
3 ,
0,
x5
,
3
IL 12 (x; 5, 8, 12) = 12 x
,
0,
(5.6)
58
8 < 12
(5.7)
100
The main function of the fuzzy inference stage is to map the input fuzzy sets of s 1
(safe, low-PAMP and high-PAMP) and s 2 (low-danger and high-danger) to output
fuzzy sets (IL-10 and IL-12). Mapping is performed with six fuzzy rules and
Mamdani's (maxmin) inference method. The following fuzzy rules are established
based on the strength of the input signals (safe, PAMP and danger signals).
RULE 1: IF (s 1 is safe) and (s 2 is low-danger), THEN (FLS(S i ) is IL-10).
RULE 2: IF (s 1 is safe) and (s 2 is high-danger), THEN (FLS(S i ) is IL-10).
RULE 3: IF (s 1 is low-PAMP) and (s 2 is low-danger), THEN (FLS(S i ) is IL-10).
RULE 4: IF (s 1 is low-PAMP) and (s 2 is high-danger), THEN (FLS(S i ) is IL-12).
RULE 5: IF (s 1 is high-PAMP) and (s 2 is low-danger), THEN (FLS(S i ) is IL-12).
RULE 6: IF (s 1 is high-PAMP) and (s 2 is high-danger), THEN (FLS(S i ) is IL-12).
101
The number of triggered rules depends mainly on the crisp values of input
signals s 1 and s 2 . The inference produced from f rules generates f output membership
functions.
5.4
A WORKED EXAMPLE
This worked example shows a sample calculation for processing only one input
antigen a i for the purpose of simplification and clarification. Figure 5.9 shows a
complete example of the application of fuzzy logic theory in this example. Assuming
that MTList and TGList are empty the other elements are as follows:
I = 1: one input antigen, set of signals, activated DC, gene and GList are processed;
therefore i = 0.
A = {a 0 }.
J = 2: two RREQ packet effects and two signals per GList are considered; therefore j =
1.
N: its value depends on the resultant context of the input antigen.
t = 5: in this example it is negligible since MTList is empty.
E = {e 0 , e 1 }; the set of considered RREQ packet effects.
e 0 is RREQ flooding rate.
e 1 is the number of times the connections breaks.
S 0 = { s 00, s 01 }.
102
s 0 = o 00 (e 0 ) = 4; Given that s 0 = 4 has a membership value from low-PAMP and highPAMP which are calculated as in Table 5.1 and sketched as in Figure 5.6, s 0 triggers
rules 3, 4, 5 and 6.
s 1 = o 01 (e 1 ) = 2; s 1 has a membership value in two input membership functions: lowdanger and high-danger. The two sets are calculated according to the values in Tables
5.2 and 5.3 and depicted in Figures 5.6 and 5.7. The six rules are triggered by s 1 .
G = {g 02 }.
t f = 6: fuzzy threshold.
Only four rules produce four output membership functions. As shown in Figure
5.9, the membership function of the input variables with lower membership value is
considered in Mamdani's method to produce the corresponding output membership
function. However, the output membership functions are aggregated with max
membership values in Mamdani's method during aggregation. Finally, the centroid
equation is employed to calculate ultimate crisp value FLS(S 0 ) represented by a red
line in the aggregate function. In this example, FLS(S 0 ) = 5.05 which is less than t f =6,
which means that the related antigen is benign and its packet is normal.
103
5.5
SUMMARY
DCFA was described in two ways in this chapter. Firstly, a generic explanation of the
DCFA model components and their interaction with one another were introduced.
Secondly, the implementation details of the DCFA data structures and parameters as
well as the details of the applied fuzzy system were also carefully explained.
The generality of the DCFA model design opens the door for researchers to
apply its functions to detect different types of attacks, even those implemented over
different types of networks. Moreover, the clear description of the DCFA processes
applied in each component serves as a blueprint for the simulation and implementation
of an intrusion detection system. The interaction capability between DCFA and the
outer routing protocol indicates that DCFA can be plugged into any routing protocol to
make it robust and secure.
104
Although fuzzy logic is mainly used to process antigens and signals in each
DC, DCFA is more danger theory-based artificial immune system (AIS) dependent.
Firstly, the way of receiving and collecting antigens and each antigen related signals is
performed by AIS. Secondly, the strength and weaknesses of each antigens related
signals (PAMP, danger inflammation and safe signals) are determined according to
concepts and principles in human immune system (HIS). Thirdly, the way of
activation of both primary immune response (PIR) pathway and secondary immune
response (SIR) pathway is done according to AIS concepts inspired from HIS.
However, fuzzy logic theory is only applied to process the information fusion of
receiving multiple antigens and signals by DCs and to assist concluding accurate
results for antigens context. Finally, fuzzy logic is only applied when PIR pathway is
activated otherwise SIR pathway does not use it when Memory T-cells are activated.
Based on that, the proposed DCFA has a low percentage of scope sharing with the
previously proposed pure fuzzy logic-based IDS in the literature. Also, most of the
proposed IDS in the previous works use fuzzy logic theory as assistant system with
another intelligent system such as neural networks, genetic algorithms, swarm
computing and data mining. Therefore, in our research we use fuzzy logic as a
secondary system with AIS in a hybrid intelligent system.
105
CHAPTER VI
6.1
INTRODUCTION
The verification performed in this chapter aims to demonstrate the feasibility of DCFA
to detect a flooding-based attack, namely, RCA over MANET. The simulation
scenarios are designed to prove not only the detection capability of DCFA but also its
ability to achieve high performance in both security and network metrics.
Five security metrics, namely, false positive, true negative, false negative, true
positive and accuracy rates, are examined in this chapter. Nine network performance
metrics operating in DCFA are also investigated. These metrics are throughput, endto-end delay, total energy consumed, energy consumed in transmit mode, energy
consumed in receive mode, energy consumed in idle mode, number of RREQs retried,
number of initiated RREPs.
6.2
EXPERIMENTAL SETTINGS
Security and network performance metrics are examined in two main scenarios:
scenario C and scenario D. The scenarios share the following experimental settings:
they implement the simulation over 30 legitimate nodes with radio range of 250 m and
60 s simulation time. The attackers in these scenarios are located randomly and
initialize their intrusion from the first second of the simulation time until the last.
106
Two CBRs are placed under the effect of RCA: CBR-1 and CBR-2. Each CBR
has a separate source and destination nodes. Hence, there are two source nodes and
two destination nodes. CBR-1 begins the connection from the first second of the
simulation time. However, CBR-2 begins its connection at time 30 s of the simulation.
The two CBRs end at 60 s. The other fixed simulation parameters are listed in Table
3.5.
The security performance metrics are examined with two versions of DCFA,
namely, DCFA1 and DCFA5. A comparison is made between the two versions in
terms of the effect of RCA. The network performance metrics of DCFA1, DCFA5 and
AODV are compared. The main difference between DCFA1 and DCFA5 is the value
of threshold t. In DCFA1, t equals 1; in DCFA5, t equals 5. The effect of t value is
elaborated in this chapter for two reasons. Firstly, t represents the critical point which
directs DCFA to an appropriate path (PIR and SIR) to make a decision on the context
of the input antigen.
Secondly, when mac n exceeds t, a n is considered always malignant. The
importance of t value lies in giving the input antigen a number of opportunities to be
tested by PIR. After exceeding a certain number of tests, a confirmation for the input
antigen context is considered each time it is faced by DCFA. This occurrence means
that if the value of t is too small, the input antigen will be given only one opportunity
to be tested by PIR. Consequently, if PIR concludes a wrong judgment for the input
antigens, this will lead to high false positive rates in the intrusion detection results.
Conversely, if the value of t is too large, the input antigen will be given more
than enough time to be tested by PIR; however, this renders the use of SIR in DCFA
insignificant to avoid the time spent by the same antigen reception on PIR. For that
reason, t value should be carefully selected based on the results obtained from
numerous experimental tests. In the following sections, the security performance
metrics are tested in both DCFA1 and DCFA5 to reveal the importance of t value. The
107
Figures 6.1(a) and 6.2(a) show the effect of varying the number of attackers on the
false positive and true negative rates, respectively, for DCFA1 and DCFA5. As the
number of attackers increases, the false positive rate decreases for both versions of
DCFA (Figure 6.1(a)). Conversely, as the number of attackers increases, the true
negative rate increases for both versions of DCFA (Figure 6.2(a)).
Figure 6.1 Effect of the number of attackers on false positive rate. (a) varying the
number of attackers, (b) the average of false positive rate
108
Figure 6.2 Effect of the number of attackers on true negative rate. (a) varying the
number of attackers, (b) the average of true negative rate
This result is attributed to the high number of legitimate nodes that trigger
RULE 4 in the received RREQs from legitimate source nodes when the number of
attackers is small. In details, when the number of applied attackers is small (e.g., 2),
flooding by the attackers causes high numbers of connections breaks, thereby
activating high-danger input membership function in the fuzzy system of DCFA in
each legitimate node (especially the nearby nodes). The numerous connections breaks
caused by RCA causes the source nodes to retry broadcasting RREQs toward the
destination nodes for two reasons. Firstly, the occurrence of numerous connections
breaks may prevent the destination nodes from receiving RREQ packets from the
source nodes. Secondly, numerous connections breaks may prevent the source nodes
from receiving RREPs from the destination nodes.
This situation causes the source nodes to continuously retry broadcasting
RREQ packets, which could result in, according to the AODV protocol setting
(Perkins & Royer 1999), an RREQ broadcast rate of 4 RREQ/s in the worst case.
Consequently, low-PAMP membership function is activated which leads to consider
the input antigen context as malignant and its related DC as mature. This conclusion
for DC will cause DCFA to wrongly consider the related RREQ as a packet from an
109
attacker. The same explanation can be obtained from Figure 6.2(a); the case presents a
low true negative rate (a complement of false positive) when the number of attackers
is small. The decrease and increase in false positive and true negative rates when the
number of attackers increases is due to the high competence of attackers on the links
of legitimate nodes. The highly flooded faked RREQs compete strongly with the
retried RREQs broadcasted by legitimate source nodes when the number of attackers
increases. This will prevent the normal retried RREQs from reaching a high number of
legitimate nodes, which leads to a decrease in the resultant high false positive and low
true negative rates generated from their processing by RULE 4 in legitimate nodes
DCFAs.
DCFA5 continues to exhibit lower false positive and higher true negative rates
in almost all cases with various numbers of attackers. Figures 6.1(a) and 6.2(a)
indicate that high false positive and low true negative rates are recorded when the
number of attackers is 2. Under the effect of 2 attackers in Figures 6.1(a) and 6.2(a),
DCFA5 outperforms DCFA1 by 72% and 13%, respectively. Figures 6.1(b) and 6.2(b)
show the average of false positive and true negative rates, respectively, under the
effect of different numbers of attackers (2, 4, 6, 8 and 10). In the two figures, DCFA5
scores higher security performance than DCFA1. DCFA5 outperforms DCFA1 in
Figures 6.1(b) and 6.2(b) by 65% and 5%, respectively.
In Figure 6.3(a), the false negative rate for both DCFA5 and DCFA1 decreases
as the number of attackers increases. Conversely, in Figure 6.4(a), the true positive
rate (complement of false negative) for both DCFA versions increases as the number
of attackers increases. A false negative problem is generated by the legitimate nodes
located far from the location of attackers and receiving faked RREQs at a low rate. In
this case, a legitimate node may receive bogus RREQs at a rate of 1 RREQ/s, 2
RREQs/s, or 3 RREQs/s depending on the distance between the location of the
affected legitimate node and the location of the attackers in the network. If the distance
between a legitimate node and an attacker is large, faked RREQs will be received by
the legitimate node at a low rate.
110
Figure 6.3 Effect of the number of attackers on false negative rate. (a) varying the
number of attackers, (b) the average of false negative rate
Figure 6.4 Effect of the number of attackers on true positive rate. (a) varying the
number of attackers, (b) the average of true positive rate
Two scenarios may occur at this point. Firstly, a legitimate node may receive
faked RREQs at a rate of 1 RREQ/s and is not affected by the flooding caused by the
attackers owing to the large distance between them. In this scenario, a legitimate node
may receive forged RREQs at a rate of 2 RREQ/s or 3 RREQs/s. Considering that the
111
node is far from the flooding area, it will not suffer from numerous connections
breaks. Therefore, the legitimate node will trigger RULE 3 in this scenario and the
faked RREQ will be wrongly considered normal. When the number of attackers
increases, the network area affected by their flooding widens. Consequently, the
number of connections breaks will affect more legitimate nodes, especially those
which are nearer to the attackers locations. Therefore, the number of legitimate nodes
that apply RULE 3 will be reduced. This explains the inverse and positive
relationships between false negative and true positive rates, respectively and the
number of applied attackers in the results. DCFA5 clearly outperforms DCFA1 under
the effect of all numbers of attackers as shown in Figures 6.3(a), 6.3(a), 6.4(b) and
6.4(b). In Figures 6.3(a) and 6.4(a), DCFA5 outperforms DCFA1 by 44% and 0.8%,
respectively, under the effect of 2 attackers. DCFA5 outperforms DCFA1 by 43% and
0.4% in Figures 6.3(b) and 6.4(b), respectively, on the average.
As exhibited by the percentages of the differences between DCFA5 and
DCFA1 results, DCFA5 outperforms DCFA1 with high percentages in lower false
positive and false negative rates. DCFA5 also outperforms DCFA1 with low
percentages in higher true negative and true positive rates. This result is expected
because false positive and false negative rates are complements of true negative and
true positive rates, respectively.
The resulting accuracy rates of the four security performance metrics are
shown in Figure 6.5. It is apparent that as the number of attackers increases, the
accuracy, true positive and true negative rates increase. Whilst, the increase in the
number of attackers decreases both false positive and false negative rates because
increasing the number of attackers means increasing the flooding rate and the area of
network covered by the flooding, thereby assisting the legitimate nodes to prepare
correct information on the attackers behaviors and to make a correct decision for that
attacker. Figures 6.1, 6.2, 6.3, 6.4 and 6.5 indicate that the security performance of
112
DCFA5 is better than that of DCFA1 under the effect of different numbers of
attackers.
Figure 6.5 Effect of the number of attackers on accuracy rate. (a) varying the number
of attackers, (b) the average of accuracy rate
6.3.2
113
Unlike DCFA1 and AODV, DCFA5 exhibits high resistance against the
increase in the number of attackers. The low false positive and false negative rates of
DCFA5 make it robust under the effect of high number of attackers. However, the
high false positive and false negative rates of DCFA1 make its throughput degradation
worse than that of AODV because the high false positive rate of DCFA1 suppresses
communication among normal nodes. The false negative rate of DCFA1 also presents
another obstacle in terms of initiating a route between the legal source and destination
nodes. Figure 6.6(b) confirms that DCFA5 outperforms DCFA1 and AODV. Each
column represents the average throughput under the effect of different numbers of
attackers.
(a)
(b)
Figure 6.6 Effect of the number of attackers on throughput. (a) varying the number of
attackers, (b) the average of throughput
Figure 6.7 depicts the effect of varying the number of attackers on the end-toend delay of DCFA5, DCFA1 and AODV. Obviously, DCFA5 exhibits the lowest
end-to-end delay under the effect of different numbers of attackers. However, DCFA1
exhibits the highest end-to-end delay under the effect of all numbers of attackers. The
difference between the increase in end-to-end delay for DCFA5 and that for DCFA1
under the effect of 10 attackers is approximately 88%, whereas that between DCFA5
and AODV is approximately 78.5%. Also, under the effect of 10 attackers (worst
case), DCFA5, DCFA1 and AODV exhibit an increase in end-to-end delay by 40%,
114
91% and 89.4%, respectively, compared with the normal case for each protocol.
Additionally, Figure 6.7(a) shows that the increase in end-to-end delay in DCFA1 is
larger than that in AODV under the effect of various numbers of attackers. This result
can be attributed to the high false positive rate of DCFA1. Figure 6.7(b) shows the
average end-to-end delay under the effect of all numbers of attackers for each
protocol. This figure confirms that DCFA5 outperforms DCFA1 and AODV.
(a)
(b)
Figure 6.7 Effect of the number of attackers on end-to-end delay. (a) varying the
number of attackers, (b) the average of end-to-end delay
Figure 6.8 confirms that DCFA achieved its main goal, which is to
significantly decrease the energy consumed by legitimate nodes when utilized by RCA
to rebroadcast faked RREQs. The results reveal the difference between the energy
consumed in transmit mode by legitimate nodes in AODV and the energy consumed in
transmit mode in both DCFA1 and DCFA5. Figure 6.8(a) indicates that in the worst
case (under the effect of 10 attackers), the energy consumed in transmit mode when
DCFA5 is applied decreases by 97% compared with the energy consumed when
AODV alone is applied. Moreover, the energy consumed in transmit mode when
DCFA1 is applied decreases by 98.8% compared with the energy consumed when
AODV is applied. Figure 6.8(b) shows the average energy consumed in transmit mode
for each protocol under different numbers of attackers. The average energy consumed
in transmit mode when DCFA5 and DCFA1 are applied decreases by 95% and 98%,
115
respectively, compared with the average energy consumed in transmit mode when
AODV alone is applied.
(a)
(b)
Figure 6.8 Effect of the number of attackers on energy consumed in transmit mode.
(a) varying the number of attackers, (b) the average of energy consumed in
transmit mode
Similar to the manner DCFA protects transmitter legitimate nodes from
consuming their own energy in transmitting faked RREQs; DCFA also protects
receiver legitimate nodes from wasting energy in receiving spurious packets. Figure
6.9 approve this idea. In Figure 6.9(a), the energy consumed in receive mode in
DCFA5 and DCFA1 is approximately 90% and 91% lower than the energy consumed
by AODV, respectively, under the effect of 10 attackers. From another point of view,
the average energy consumed in receive mode in DCFA5 and DCFA1 is 89.8% and
91.3% lower than that in AODV, respectively, as shown in Figure 6.9(b).
116
(a)
(b)
Figure 6.9 Effect of the number of attackers on energy consumed in receive mode. (a)
varying the number of attackers, (b) the average of energy consumed in
receive mode
Consistently, Figure 6.10 shows that DCFA is successful in keeping a high
number of legitimate nodes idle unlike the case of leaving AODV flooded by RCA
without protection. The energy consumed by the idle legitimate nodes when DCFA5
and DCFA1 are applied under the effect of 10 attackers is approximately 22% and
22.3% less than that consumed by idle legitimate nodes that apply AODV alone,
respectively (Figure 6.10(a)). Figure 6.10(b) also shows that DCFA5 and DCFA1
outperform AODV by 13.23% and 13.45%, respectively, in terms of the average
energy consumed by idle nodes under the effect of various numbers of attackers.
(a)
(b)
Figure 6.10 Effect of the number of attackers on energy consumed in idle mode. (a)
varying the number of attackers, (b) the average of energy consumed in
idle mode
117
The total energy consumed by legitimate nodes in Figures 6.11(a) and 6.11(b)
are calculated using Equation 3.5. The results are consistent with the results in Figures
6.8, 6.9 and 6.10. DCFA1 and DCA5 outperforming AODV is also observed in terms
of the total energy consumed under the effect of having various numbers of attackers.
By applying DCFA5 and DCFA1, legitimate nodes only need to increase their total
energy consumed by 5.4% and 3.5%, respectively, to resist the effect of 10 attackers.
However, with 10 attackers and by using AODV alone, legitimate nodes will be
obliged to increase their energy consumption by 52% compared with the normal case.
DCFA5 and DCFA1 maintain approximately 50% and 51% of legitimate nodes
energy compared with the energy consumed when AODV alone is applied under the
effect of 10 attackers (Figure 6.11(a)). The difference between the average total energy
consumed in DCFA5 and DCFA1 protocols and the energy consumed in AODV
protocol is 39.5% and 38.8%, respectively (Figure 6.11(b)). However, the
consumption of less energy by DCFA1 compared with DCFA5 is not advantageous
because the difference is attributed to the excessive suppression of DCFA1 for both
legitimate and attacker nodes.
(a)
(b)
Figure 6.11 Effect of the number of attackers on total energy consumed. (a) varying
the number of attackers, (b) the average of total energy consumed
Figures 6.12(a) and 6.12(b) reveal that the difference in the number of retried
RREQs in DCFA1, DCFA5 and AODV is not too large. As the number of attackers
increases in the three protocols, the number of retried RREQs also increases. However,
DCFA5 continues to outperform DCFA1 and AODV by exhibiting the lowest number
118
of retried RREQs. Under the effect of 10 attackers, the number of retried RREQs
required by DCFA5 is approximately 17.3% and 15.5% lower than the number of
retried RREQs required by AODV and DCFA1, respectively.
Figures 6.13(a) and 6.13(b) illustrate very clearly how DCFA (DCFA1 and
DCFA5) suppresses the huge number of spurious RREQs. It is obvious from the
results that when AODV alone is applied, the legitimate nodes are forced to reply to a
massive numbers of forged RREQs. Therefore, the legitimate nodes indirectly
overload the network with unnecessary initiated RREPs. Without applying any of the
two DCFA versions, the legitimate nodes are forced to increase their initiated RREPs
as the number of attackers increases.
In Figure 6.13 (a), under the effect of 10 attackers, the number of initiated
RREPs increases by 99.9% compared with the normal case. However, the number of
initiated RREPs increases by 32.1% and 39.8% when DCFA5 and DCFA1 are applied,
respectively. Moreover, the vulnerability of AODV to RCA causes the average
number of initiated RREPs to increase by 99% and 99.33% compared with DCFA1and
DCFA5, respectively.
(a)
(b)
Figure 6.12 Effect of the number of attackers on the retried RREQs. (a) varying the
number of attackers, (b) the average of retried RREQs
119
(a)
(b)
Figure 6.13 Effect of the number of attackers on the initiated RREPs. (a) varying the
number of attackers, (b) the average of initiated RREPs
6.4
Scenario D examines varying attackers radio ranges (200, 250, 300, 350 and 400 m).
Four attackers with flooding rate of 30 RREQ\s are simulated in all the experiments
for this scenario.
6.4.1
As shown in Figures 6.14 and 6.15, varying the radio range of four attackers has a
significant impact on the difference between false positive and true negative rates
recorded by DCFA1 and DCFA5. Mainly,The false positive rate results from the
triggering of RULE 4 by the legitimate nodes DCFA. A small radio range emitted by
attackers means that more chances are provided for RULE 4 to be triggered because as
the attackers increase their radio range, they actually increase their control and
competence on the link. The resultant control and competence prevent one of the
RULE 4 premises, which is low-PAMP, to be fulfilled.
120
Figure 6.14 Effect of the attackers radio range on false positive rate. (a) varying radio
range, (b) the average of false positive rate
Figure 6.15 Effect of the attackers radio range on true negative rate. (a) varying radio
range, (b) the average of true negative rate
Although the false positive rates of both DCFA1 and DCFA2 decrease as radio
range increases, DCFA5 shows lower false positive rates for all the applied radio
ranges (Figure 6.14(a)). At radio range of 200 m, DCFA5 records a false positive rate
that is 79% less than that exhibited by DCFA1. Consistently, in Figure 6.15(a),
121
DCFA5 outperforms DCFA1 at all radio ranges. At radio range of 200 m, DCFA5
records true negative rate that is 13.7% greater than that recorded by DCFA1. Refering
to Figure 6.14(b), The average false positive rate recorded by DCFA5 at all radio
ranges is 88.6% lower than that recorded by DCFA1. Also, as in Figure 6.15(b), the
average true negative recorded by DCFA5 is 8.8% higher than that recorded by
DCFA1. The general behavior of false negative rate under the effect of increasing the
attackers radio range in Figure 6.16(a) is similar to the behavior of false positive rate
in Figure 6.14(a). However, the false negative rate for DCFA1 is 51.5% higher than
the false negative rate for DCFA5 at radio range of 200 m.
Moreover, true positive rate in Figure 6.17(a) exhibits the same behavior as
that of true negative rate in Figure 6.15(a) even though the difference between DCFA5
and DCFA1 is only 0.8% at radio range of 200 m. The increase of radio range
increases the flooding rates of the attackers and the area of the network under their
control. Consequently, the number of connections breaks will threaten more legitimate
nodes. Therefore, the number of legitimate nodes that apply RULE 3 will decrease,
indicating that the average false negative rates recorded at a certain radio range by all
legitimate nodes DCFAs in the network will likewise decrease. In Figure 6.16(b),
DCFA5 outperforms DCFA1 by 59.7% in terms of average false negative rate.
However, in Figure 6.17(b), minimal difference is observed between DCFA5 and
DCFA1 in terms of recorded true positive rate.
122
Figure 6.16 Effect of the attackers radio range on false negative rate. (a) varying
radio range, (b) the average of false negative rate
Figure 6.17 Effect of the attackers radio range on true positive rate. (a) varying radio
range, (b) the average of true positive rate
The resulting accuracy rate in Figure 6.18 shows results consistent with those
in Figures 6.15 and 6.17. Although the effects of true positive and true negative results
appear clearly in the results of accuracy rate, DCFA5 maintains a high accuracy rate at
all radio ranges. In general, as much as the attackers can increase their power and
control, higher correct results will be achieved by DCFA.
123
Figure 6.18 Effect of the attackers radio range on accuracy rate. (a) varying radio
range, (b) the average of accuracy rate
6.4.2
Figure 6.19 confirms the capability of DCFA5 to secure MANET efficiently even if it
has been intruded by attackers with high radio ranges. However, this capability is
degraded when DCFA1 is applied and reaches a throughput equal to zero at radio
ranges of 350 m and 400 m. The efficiency of DCFA1 is reduced under the effect of
high radio range attackers more than AODV. The reason behind this result refers to the
high false positive and false negative rates of DCFA1 and the significant effect of
attackers with high radio ranges.
Numerically, about 100% of the DCFA1 throughput at radio range of 200 m is
completely degraded at radio ranges of 350 m and 400 m. Also, the attackers with
400 m radio range can diminish about 96.9% of the throughput of AODV. However,
DCFA5 loses only 12.3% of its throughput at radio range of 400 m compared with
radio range of 200 m. When the throughput of the three protocols at radio range of
400 m is compared, the throughput of DCFA5 is 100% and 98% higher than that of
DCFA1 and AODV, respectively (Figure 6.19(a)). Additionally, the average
124
throughput achieved by DCFA5 is approximately 83.4% and 72.7% higher than the
average throughput of DCFA1 and AODV, respectively, as shown in Figure 6.19(b).
(a)
(b)
Figure 6.19 Effect of the attackers radio range on throughput. (a) varying radio range,
(b) the average of throughput
In Figure 6.20, DCFA5 tries to keep about the same end-to-end delay at all
radio ranges. However, DCFA1 and AODV are dramatically affected by radio range
increase of the applied attackers. DCFA1 becomes inefficient at radio ranges of 350 m
and 400 m; the end-to-end delay approaches infinity. The high false positive rate of
DCFA1 renders the possibility of initiating shortest path routes rare and very limited,
thereby causing high increase of end-to-end delay at radio ranges of 250 m and 300 m.
The initiated long and non-optimal routes cannot combat attackers with radio ranges of
350 m and 400 m. At a radio range of 300 m, the end-to-end delay for DCFA1
increases by about 76.5% compared with end-to-end delay at a radio range of 200 m.
AODV increases its end-to-end delay by 89.5% at a radio range of 400 m. However,
the difference between the end-to-end delay values (at radio ranges of 200 m and
400 m) for DCFA5 is negligible.
125
(a)
(b)
Figure 6.21 Effect of the attackers radio range on energy consumed in transmit mode.
(a) varying radio range, (b) the average of energy consumed in transmit
mode
126
(a)
(b)
Figure 6.22 Effect of the attackers radio range on energy consumed in receive mode.
(a) varying radio range, (b) the average of energy consumed in receive
mode
Figure 6.23 depicts the effect of RCA attackers as they increase their radio
ranges and control on notifying AODV legitimate nodes. Figure 6.23(a) also shows
how DCFA avoids the legitimate nodes responding to RCA attackers. A positive
relationship is created between the energy consumed in idle mode and the increase in
the attackers radio range, resulting from the resistance of DCFA against RCA. AODV
consumes approximately 31.89% and 31.83% less energy than that consumed in
DCFA1 and DCFA5, respectively (Figure 6. 23(b)).
The total energy consumed by the legitimate nodes of AODV, DCFA1 and
DCFA5 at various radio ranges is shown in Figure 6.24(a). The total energy consumed
by the AODV nodes increases as the radio range increases. However, a slight increase
in the total energy consumed by the legitimate nodes of DCFA is observed as radio
range increases. At a radio range 400 m, DCFA1 and DCFA5 reduce the total energy
127
consumed by 62.48% and 62.3% compared with AODV. The average total energy
consumed at all radio ranges is reduced in DCFA5 and DCFA1 by 56.6% and 56.7%
compared with AODV as shown in Figure 6.24(b).
(a)
(b)
Figure 6.23 Effect of the attackers radio range on energy consumed in idle mode. (a)
varying radio range, (b) the average of energy consumed in idle mode
(a)
(b)
Figure 6.24 Effect of the attackers radio range on total energy consumed. (a) varying
radio range, (b) the average of total energy consumed
As shown in Figure 6.25(a), AODV source nodes are forced to retry
broadcasting RREQs many times to initiate a successful route to the required
destination. At increased attackers radio ranges, the retried RREQs also increase
128
steadily. The DCFA1 source nodes are forced to retry broadcasting RREQs under the
pressure of high false positive rates and attack.
At the radio ranges of 200 m and 250 m, the DCFA1 source nodes initiate
more retried RREQs than the AODV source nodes. At the radio ranges of 300 m,
350 m and 400 m, the number of initiated retried RREQs becomes fixed and is less
than that initiated by the AODV source nodes. DCFA5 outperforms DCFA1 and
AODV in reducing the number of initiated retried RREQs. As shown in Figure
6.25(b), DCFA5 diminishes the required retried RREQs by 15% and 16% compared
with DCFA1 and AODV, respectively.
(a)
(b)
Figure 6.25 Effect of the attackers radio range on the retried RREQs. (a) varying
radio range, (b) the average of retried RREQs
Figures 6.26(a) and 6.26(b) show the ability of DCFA to spare legitimate nodes
from responding to faked requests sent by RCA attackers. The AODV legitimate
nodes are forced to reply to the attackers continuous floods of RREQs. Therefore,
AODV is overloaded with numerous initiated RREPs compared with DCFA1 and
DCFA5. The initiated RREPs overload increases as the radio range of the attackers
increases. The results presented in Figure 6.26(b) indicate that the average number of
initiated RREPs by the AODV legitimate nodes increases by 99.7% and 99.8%
129
compared with DCFA5 and DCFA1, respectively. The average number of initiated
RREPs by the DCFA1 legitimate nodes is less than that initiated by the DCFA5
legitimate nodes. This result can be attributed to the long routes that are hardly
initiated when DCFA1 is applied. The long routes prevent most of the source nodes
RREQs from reaching the required destination; therefore, less RREP packets are
initiated in response to the received RREQs.
(a)
Figure 6.26
6.5
(b)
Effect of the attackers radio range on the initiated RREPs. (a) varying
radio range, (b) the average of initiated RREPs
In this section, DCFA is compared with three up-to-date previously proposed AISbased algorithms in the literature review. The algorithms shares DCFA the main
objective of developing AIS-based intrusion detection algorithm with the highest
performance scores. As shown in Table 6.1, seven comparison metrics have been
studied; the detected attacks in specific area, the studied network performance metrics,
the highest improvement (IP) ratio achieved for each studied network performance
metric according to the experiment environment for each study, the studied security
performance metrics, the best ratio achieved for each security metric, the strengths and
the limitations for each study.bhfjnfnfbvhfbvhjfbjvfnvnvhjcnhvbhjcvjcnvfjvnjfhnvhjfv
130
DCFA, 2014
ABIDs, 2012
SNAIS, 2010
CIA, 2010
Flooding-based
wormhole
attacks over network attacks over
MAC layer in
layer in WSN.
MANET.
Network TP ETED EC RO
NA
TP
NA
Metrics
IP Ratio 98 100 62.3 99.3
NA
0.5
NA
(%)
Security FP FN TP TN A
MCAV
FP FN TP TN
FP
A
Metrics
Best Ratio 1 0.4 99.6 99 99.2
1
48 52 99 4.84 85.51
4%
(%)
- Making association
- Utilizing danger - Utilizing danger
- Utilizing cobetween an antigen and theory and
theory.
stimulation
its related signals.
Agent-based
concept in HIS.
- Depending on
models.
- Utilizing danger and
empirically
Strengths
fuzzy logic theories.
concluded equation
- Combining between
and weighting values.
anomaly-based and
signature-based ID.
- No security cooperation - No security
between nodes.
cooperation
between nodes.
- Network and
most security
performance
metrics are not
studied.
Limitations
- High false
negative and low
true positive
- The second
stage in SNAIS
is energy
inefficient.
- The security
cooperation
between nodes
is not
authenticated.
- Network
performance
metrics and
most of the
security
performance
metrics are not
tested.
TP: throughput, ETED: end-to-end delay, EC: energy consumption, RO: routing overhead, NA: not
applicable, MCAV: (mature context antigen value). FP: false positive, FN: false negative, TP: true positive,
A:accuracy.mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm
131
132
addition, the best ratios achieved for false positive, false negative, true positive, true
negative and accuracy achieved are: 1%, 0.4%, 99.6%, 99% and 99.2% respectively.
This comparison shows clearly the outperformance of DCA over the highlighted
previous works.
6.6
SUMMARY
Security and network performance were tested in this chapter for two versions of
DCFA, namely, DCFA1 and DCFA5. Testing was performed to show the importance
of the value of t threshold. If an input antigen is considered malignant in DCFA1, the
same judgment will be applied at each appearance of the antigen to the algorithm
without any chance for new testing. However, an input antigen is tested five times in
DCFA5; after that, its context can be considered malignant for future appearance. The
conducted experiments show that the difference between DCFA5 and DCFA1 in terms
of false positive and false negative rates is greater than the difference between the two
in terms of true positive and true negative rates. However, DCFA5 outperforms
DCFA1 in almost all the tested performance metrics.
AODV, DCFA1 and DCFA5 were also compared through a set of experiments
that test certain network performance metrics, which are throughput, end-to-end delay,
energy consumed in transmit mode, energy consumed in receive mode, energy
consumed in idle mode, total energy consumed, number of initiated retried RREQs
and number of initiated RREPs. These network performance metrics were tested in
two scenarios. These metrics were selected because they are obviously affected by
RCA as discussed in Chapter IV. This chapter revealed that DCFA5 can resist RCA by
attempting to maintain network performance as high as possible. The fact that DCFA5
outperforms DCFA1 and AODV confirms the high capability and performance of
DCFA5 from network and security points of view. Clearly, t threshold should be equal
to 5 to produce a successful and highly efficient DCFA.
133
CHAPTER VII
7.1
RESEARCH CONTRIBUTIONS
This research adds three main contributions to the literature. Firstly, a new RCA attack
and its countermeasure DCFA models have been developed and added to QualNet
v5.0.2 platform to be implemented over MANET RCA model has been developed to
inject the flooding attack over AODV routing protocol. Also, the countermeasure
model for RCA has been developed to secure AODV routing protocol.
Secondly, new factors have been introduced to implement and analyze RCA
over MANET, specifically, varying number of attackers in combination with
attackers positions and varying attackers radio range and flooding rate. Thirdly and
finally, a new AIS-based algorithm and its related model has been developed and
evaluated. The model has been added to QualNet v 5.0.2 to be tested from both
security and network measurements. Five security performance metrics have been
used to test DCFA specifically, false positive, false negative, true positive, true
negative and accuracy rates. Also, four network performance metrics have been used
to test DCFA such as: throughput, end-to-end delay, energy consumption and routing
overhead.
134
7.2
ACHEIVEMENTS
The major goal of this research is to introduce an efficient, self-defensive and selforganizing algorithm to protect MANET from flooding-based attacks. This goal
involves a set of objectives, which are listed in Section 1.3. The objectives were
carefully achieved throughout the chapters of this thesis. The first objective was
fulfilled in Chapter IV. A comprehensive study of the effect of flooding-based attacks
was introduced. RCA was simulated as an example of a flooding-based attack with
QualNet version 5.0.2. The simulation clarified the performance parameters that affect
RCA attackers effectiveness, such as varying the number of attackers and their
positions and varying the attackers radio range and their flooding rates.
From the experiments performed in Chapter IV, a blueprint for the design of
DCFA was provided. Specifically, if a certain attack is designed to degrade the
performance of a specific routing protocol, the attack designer must firstly, study the
specifications of that routing protocol. Similarly, if a researcher intends to design an
AIS-based intrusion detection algorithm, an investigation of the monitored attack
should be implemented. Thus, the strengths and weaknesses of the observed attack can
be determined. Such determination increases the chances for the designed intrusion
detection algorithm to succeed and defeat the intrusion. For example, as floodingbased attacks depend mainly on the mechanism of flooding high rates of faked
packets, this mechanism forms a signal in DCFA. This signal strongly indicates the
existence of RCA and helps DCFA prepare correct information on the signals
relevant antigen and labels it with the correct context (either malignant or benign).
The second objective of this research is addressed in Chapter V. DCFA was
developed and thoroughly illustrated. The distinctive features of danger theory and
fuzzy logic theory were utilized to produce a hybrid intelligent intrusion detection
algorithm. DCFA was mainly derived from the abstract biological model of DCs in
innate immunity and their interaction with T-cells in adaptive immunity in the human
immune system. Fuzzy logic theory is the heart of the DC function; through it,
multiple signals can be received and their relevant antigens context can be produced.
135
The migration of DCs after maturation triggers NT-cells and controls their response to
the input antigen. The function of T-cells in adaptive immunity was applied in DCFA
in an abstract manner to avoid the application of self-nonself discrimination theory,
which involves the use of negative selection algorithm and leads to a scalability
problem and high false positive rates. HIS modeling and abstraction of certain
functions and principles are what makes DCFA an efficient, self-defensive and selforganizing algorithm.
DCFA was verified in Chapter VI with QualNet v5.0.2 as a simulation tool to
achieve the third objective of this research. The importance of selecting the value of
the t threshold was made clear by comparing the two versions of DCFA, namely,
DCFA1 and DCFA5. Another comparison was conducted to examine the network and
security performance of DCFA1, DCFA5 and AODV. DCFA5 outperforms DCFA1
by scoring lower false positive and false negative rates and higher true positive, true
negative and accuracy rates. Testing helped set the value of t threshold in DCFA to 5
to gain the desired level of performance and efficiency.
DCFA5 proves its capability to secure MANET and maintain its performance
and resources, simultaneously. DCFA5 outperforms AODV by scoring higher
throughput and lower values in the following network performance metrics: end-toend delay, total energy consumed and routing overhead. Although DCFA1 suppressed
the effects of RCA on network energy consumption and routing overhead, it failed
clearly, to maintain high throughput and low end-to-end delay because of its
oppressive connections suppressions. The unfair suppressions in DCFA1 result in high
false positive rates unlike in DCFA5, which is resilient and fault-tolerant. Therefore, it
can be concluded from Chapter VI that DCFA applies a t threshold value that is equal
to 5.
7.3
DCFA has the potential to become a highly successful AIS-based intrusion detection
algorithm for the following advantages. Firstly; any attack should be activated by an
136
entity (e.g., faked packet) with a certain identity and a set of behaviors to fulfill the
attack purposes. Therefore, the translation of the input routing packets identity into an
antigen and its behaviors into a set of signals allows DCFA to be utilized in the
detection of a wide range of attacks.
Secondly, DCFA performs anomaly detection and depends on its own learning
to perform partial signature detection, which makes DCFA resilient and able to detect
new attack identities even if they are not recorded in MT-cell profiles. The partial use
of signature detection speeds up the detection operation in DCFA and keeps network
performance high. Although anomaly detection yields high false positive rates, DCFA
can deal with this problem very well by setting the t threshold to 5. Each antigen is
provided five chances to be tested before it is transformed to MT-cell profiles. Thus,
the false positive rates in DCFA5 are reduced and the problem in DCFA1 is explained
clearly. This advantage confirms DCFAs potential application to dynamic and noncentralized networks, such as MANET.
Thirdly, although security algorithms are inversely related to the performance
of the protected systems, DCFA maintains its high efficiency and effectiveness. As
presented in Chapter VI, network performance metrics is negatively affected by low
percentages because DCFA is applied under the pressure of increasing the number of
attackers or increasing the attackers radio ranges compared with the normal case (zero
attackers). DCFA increases the performance of AODV routing protocol when an
attack occurs, which means that DCFA not only makes AODV secure enough but also
increases its robustness and performance when attacked.
Finally, unlike (Greensmith 2007; Kim et al. 2006), DCFA does not depend on
the temporal correlation between the incoming antigens and signals. Temporal
correlation depends mainly on the order of the tested input antigens and causes high
false positive rates when antigens with a different context enter the system
simultaneously. Therefore, DCFA establishes the association between an input antigen
and its relevant signals. The relation between an antigen and its signals are arranged
carefully in a gene. The accumulative genes are congregated in TGList in the genes
137
store. This careful data collection and preparation for detection operation increases the
possibility of obtaining low false positive and false negative rates and high accuracy
rate.
However, DCFA has a limitation in finding well-managed collaboration
between mobile nodes in MANET. DCFA operates locally and should be installed in
each node to protect itself; however, if one node confirms the context of a certain
antigen as malignant, it would not broadcast that context to the surrounding nodes.
This limitation increases the possibility of obtaining false negative rates.
Furthermore, cooperation between non-centralized nodes in intrusion detection
strengthens their security systems. However, this cooperation should be applied
between authorized nodes because a group of attackers may join legitimate nodes and
broadcast faked security information on certain legitimate nodes to isolate them from
the network and cause network partitioning.
7.4
The work presented in this research sparks series of ideas that should be adopted in
future studies as in the following:
i.
ii.
138
iii.
DCFA is verified with QualNet 5.0.2 to detect RCA over MANET. DCFA as
an algorithm applied in each node can also be verified with real data set to
examine its reliability and correctness.
All future studies should aim to strengthen DCFA as a novel contribution to
knowledge.
139
REFERENCES
Agrawal, S., Jain, S. & Sharma, S. 2011. A Survey of Routing Attacks and Security
Measures in Mobile Ad-Hoc Networks. Journal of Computing. 3(1): 41-48.
Aickelin, U., Bentley, P., Cayzer, S., Kim, J. & McLeod, J. 2003. Danger theory: The
link between AIS and IDS? International Conference on Artificial Immune
Systems. 147-155.
Aickelin, U. & Cayzer, S. 2002. The danger theory and its application to artificial
immune systems. International Conference on Artificial Immune Systems. 141148.
Aickelin, U. & Greensmith, J. 2007. Sensing danger: Innate immunology for intrusion
detection. Information Security Technical Report. 12(4): 218-227.
Alberts, B. 2002. Molecular Biology of the Cell (4th ed.). New York: Garland Science.
ISBN: 0-8153-4072-9.
Alotaibi, E. & Mukherjee, B. 2011. A survey on routing algorithms for wireless AdHoc and mesh networks. Computer Networks. 56(2012): 940-965.
Alsaqour, R. A., Abdelhaq, M. S. & Alsukour, O. A. 2012. Effect of network
parameters on neighbor wireless link breaks in GPSR protocol and
enhancement using mobility prediction model. EURASIP Journal on Wireless
Communications and Networking. 2012(1): 171.
An, B. & Papavassiliou, S. 2003. Geomulticast: architectures and protocols for mobile
ad hoc wireless networks. Journal of Parallel and Distributed Computing.
63(2): 182-195.
Arslan, A. & Kaya, M. 2001. Determination of fuzzy logic membership functions
using genetic algorithms. Fuzzy sets and systems. 118(2): 297-306.
Avudainayagam, A., Lou, W. & Fang, Y. 2003. DEAR: A Device and Energy Aware
Routing protocol for heterogeneous ad hoc networks. Journal of Parallel and
Distributed Computing. 63(2): 228-236.
Baadache, A. & Belmehdi, A. 2012. Fighting against packet dropping misbehavior in
multi-hop wireless ad hoc networks. Journal of Network and Computer
Applications. 35(3): 1130-1139.
Bas, J. & Neira, A. P. 2003. A fuzzy logic system for interference rejection in code
division multiple access. 2: 996-1001 vol. 1002.
140
Boukerche, A., Turgut, B., Aydin, N., Ahmad, M. Z., Blni, L. & Turgut, D. 2011.
Survey Paper: Routing protocols in ad hoc networks: A survey. Computer
Networks: The International Journal of Computer and Telecommunications
Networking. 55(13): 3032-3080.
Bretscher, P. A. 1999. A two-step, two-signal model for the primary activation of
precursor helper T cells. Proceedings of the National Academy of Sciences.
96(1): 185-190.
Brutch, P. & Ko, C. 2003. Challenges in intrusion detection for wireless ad-hoc
networks. Applications and the Internet Workshops, 2003. Proceedings. 2003
Symposium on. 368-373.
ayrc, E. & Rong, C. 2009. Security in wireless ad hoc and sensor networks. Wiley
Online Library. ISBN: 0470027487.
Chang, K. B., Son, T. H. & Park, G. T. 2006a. Dynamic control of packet transmission
rate using fuzzy logic for ad hoc networks. Computational Intelligence: 13111316.
Chang, K. B., Son, T. H. & Park, G. T. 2006b. A method of controlling packet
transmission rate with Fuzzy logic for Ad Hoc networks. Intelligent Control
and Automation: 138-143.
Chiang, C. C. & Gerla, M. 1997. Routing and multicast in multihop, mobile wireless
networks. IEEE 6th International Conference on Universal Personal
Communications Record 2: 546-551.
Chlamtac, I., Conti, M. & Liu, J. J. N. 2010. Mobile ad hoc networking: imperatives
and challenges. Ad hoc networks. 1(1): 13-64.
Chou, C. H., Ssu, K. F. & Jiau, H. C. 2008. Dynamic route maintenance for
geographic forwarding in mobile ad hoc networks. Computer Networks. 52(2):
418-431.
Coico, R. & Sunshine, G. 2009. Immunology: a short course. Wiley-Blackwell. ISBN:
0470081589.
Cox, E. 1992. Fuzzy fundamentals. IEEE Spectrum Magazine. 29(10): 58-61.
Cui, S., Goldsmith, A. J. & Bahai, A. 2005. Energy-constrained modulation
optimization. Wireless Communications, IEEE Transactions on. 4(5): 23492360.
Dai, H., Jia, Z. & Qin, Z. 2009. Trust evaluation and dynamic routing decision based
on fuzzy theory for manets. Journal of Software. 4(10): 1091-1101.
141
Das, S. K., BS Manoj, B. & Ram Murthy, C. S. 2002. A dynamic core based multicast
routing protocol for ad hoc wireless networks. Proceedings of the 3rd ACM
international symposium on Mobile ad hoc networking & computing. 24-35.
Dasgupta, D., Yu, S. & Nino, F. 2011. Recent advances in artificial immune systems:
models and applications. Applied Soft Computing. 11(2): 1574-1587.
Deng, H., Li, W. & Agrawal, D. P. 2002. Routing security in wireless ad hoc
networks. Communications Magazine, IEEE. 40(10): 70-75.
Drozda, M., Schaust, S., Schildt, S. & Szczerbicka, H. 2009. An Error Propagation
Algorithm for Ad Hoc Wireless Networks. Artificial Immune Systems: 260273.
Drozda, M., Schaust, S. & Szczerbicka, H. 2010. Immuno-inspired knowledge
management for ad hoc wireless networks. Smart Information and Knowledge
Management: 1-26. e Sousa, C. R. 2001. Dendritic cells as sensors of infection.
Immunity. 14(5): 495-498.
Eriksson, J., Krishnamurthy, S. V. & Faloutsos, M. 2006. Truelink: A practical
countermeasure to the wormhole attack in wireless networks. 14th IEEE
International Conference on Network Protocols. 75-84.
Fanelli, R. 2008a. A hybrid model for immune inspired network intrusion detection.
International Conference on Artificial Immune Systems. 107-118.
Fanelli, R. 2008b. Network threat detection utilizing adaptive and innate immune
system metaphors. ISBN: 0549600434.
Fanelli, R. 2010. Further experimentation with hybrid immune inspired network
intrusion detection. International Conference on Artificial Immune Systems.
264-275.
Feeney, L. M. & Nilsson, M. 2001. Investigating the energy consumption of a wireless
network interface in an ad hoc networking environment. INFOCOM 2001.
Twentieth Annual Joint Conference of the IEEE Computer and
Communications Societies. 1543: 1548-1557.
Forrest, S., Perelson, A. S., Allen, L. & Cherukuri, R. 1994. Self-nonself
discrimination in a computer. IEEE Computer Society Symposium on Research
in Security and Privacy. 202-212.
Gelenbe, E., Lent, R., Montuori, A. & Xu, Z. 2002. Cognitive packet networks: QoS
and performance. 10th IEEE International Symposium on Modeling, Analysis
and Simulation of Computer and Telecommunications Systems. 3-9.
142
Gerhards-Padilla, E., Aschenbruck, N., Martini, P., Jahnke, M. & Tolle, J. 2007.
Detecting black hole attacks in tactical MANETs using topology graphs. 32nd
IEEE Conference on Local Computer Networks. 1043-1052.
Ghazali, K. W. M. & Hassan, R. 2011. Flooding Distributed Denial of Service
Attacks-A Review. Journal of Computer Science7 (8): 1218-1223.
Greensmith, J. 2007. The dendritic cell algorithm. University of Nottingham.
Greensmith, J., Aickelin, U. & Cayzer, S. 2005. Introducing dendritic cells as a novel
immune-inspired algorithm for anomaly detection. Artificial Immune Systems:
153-167.
Greensmith, J., Aickelin, U. & Cayzer, S. 2008. Detecting danger: The dendritic cell
algorithm. Robust Intelligent Systems. 12: 89-112.
Greensmith, J., Aickelin, U. & Tedesco, G. 2010. Information fusion for anomaly
detection with the dendritic cell algorithm. Information Fusion. 11(1): 21-34.
Gu, Q., Liu, P. & Chu, C. H. 2007. Analysis of area-congestion-based DDoS attacks in
ad hoc networks. Ad hoc networks. 5(5): 613-625.
Gupta, V., Krishnamurthy, S. & Faloutsos, M. 2002. Denial of service attacks at the
MAC layer in wireless ad hoc networks. 2: 1118-1123 vol. 1112.
Hofmeyr, F. & Forrest, S. 1999. Immunity by design: An artificial immune system.
Proceedings of the Genetic and Evolutionary Computation Conference.
Horikawa, S. I., Furuhashi, T. & Uchikawa, Y. 1992. On fuzzy modeling using fuzzy
neural networks with the back-propagation algorithm. Neural Networks, IEEE
Transactions on. 3(5): 801-806.
A dynamic alternate path QoS enabled routing scheme in mobile ad hoc networks, 1,
14 Cong. Rec. 1-16 (2007).
Intanagonwiwat, C., Govindan, R., Estrin, D., Heidemann, J. & Silva, F. 2003.
Directed diffusion for wireless sensor networking. Networking, IEEE/ACM
Transactions on. 11(1): 2-16.
Iwata, A., Chiang, C. C., Pei, G., Gerla, M. & Chen, T. W. 1999. Scalable routing
strategies for ad hoc wireless networks. Selected Areas in Communications,
IEEE Journal on. 17(8): 1369-1379.
Jacquet, P., Muhlethaler, P., Clausen, T., Laouiti, A., Qayyum, A. & Viennot, L. 2001.
Optimized link state routing protocol for ad hoc networks. IEEE INMIC. 1: 6368.
143
Janeway, C. A. 1998. The road less traveled: the role of innate immunity in the
adaptive immune response-presidential address to the American Association of
Immunologists. Journal of Immunology. 161(2): 539-544.
Janeway, C. A., Travers, P., Walport, M. & Capra, J. D. 2001. Immunobiology: the
immune system in health and disease. (Vol. 1): Current Biology. ISBN.
Janeway Jr, C. A. & Medzhitov, R. 2002. Innate immune recognition. Science
Signalling. 20(1): 197.
Jang, J. S. R. 1992. Self-learning fuzzy controllers based on temporal backpropagation.
Neural Networks, IEEE Transactions on. 3(5): 714-723.
Jetcheva, J. G. & Johnson, D. B. 2001. Adaptive demand-driven multicast routing in
multi-hop wireless ad hoc networks. Proceedings of the 2nd ACM international
symposium on Mobile ad hoc networking & computing. 33-44.
Johnson, D. B. & Maltz, D. A. 1996. Dynamic source routing in ad hoc wireless
networks. Mobile computing: 153-181.
Joshi, M. D., Unger, W. J., Storm, G., van Kooyk, Y. & Mastrobattista, E. 2012.
Targeting tumor antigens to dendritic cells using particulate carriers. Journal of
Controlled Release. 161(1): 25-37.
Juels, A. 2006. RFID security and privacy: A research survey. Selected Areas in
Communications, IEEE Journal on. 24(2): 381-394.
Kapitanova, K., Son, S. H. & Kang, K. D. 2011. Using fuzzy logic for robust event
detection in wireless sensor networks. Ad Hoc Networks. 10: 709-722.
Kargl, F., Klenk, A., Schlott, S. & Weber, M. 2005. Advanced detection of selfish or
malicious nodes in ad hoc networks. Security in Ad-hoc and Sensor Networks:
152-165.
Karlof, C. & Wagner, D. 2003. Secure routing in wireless sensor networks: Attacks
and countermeasures. Ad hoc networks. 1(2-3): 293-315.
Karp, B. & Kung, H. T. 2000. GPSR: Greedy perimeter stateless routing for wireless
networks. Proceedings of the 6th annual international conference on Mobile
computing and networking. 243-254.
Kayarkar, H. 2012. A Survey on Security Issues in Ad Hoc Routing Protocols and
their Mitigation Techniques. International Journal of Advanced Networking
and Application. 3(5): 1338-1351.
Khatri, P., Tapaswi, S. & Verma, U. 2010. Fuzzy based trust management for wireless
ad hoc networks. 168-171.
144
145
146
147
Qualnet Simulator. 1999. Retrieved April, 2012, from http://www.scalablenetworks.com/content/. Access at: 26-12-2010.
Ren, Q. & Liang, Q. 2005. Fuzzy logic-optimized secure media access control
(FSMAC) protocol wireless sensor networks. 37-43.
Royer, E. M. & Toh, C. K. 1999. A review of current routing protocols for ad hoc
mobile wireless networks. Personal Communications, IEEE. 6(2): 46-55.
Sakellari, G. 2011. Performance evaluation of the Cognitive Packet Network in the
presence of network worms. Performance Evaluation. 68 (2011): 927937.
Samar, P., Pearlman, M. R. & Haas, Z. J. 2004. Independent zone routing: an adaptive
hybrid routing framework for ad hoc wireless networks. IEEE/ACM
Transactions on Networking (TON). 12(4): 595-608.
Saqour, R., Shanuldin, M. & Ismail, M. 2007. Prediction schemes to enhance the
routing process in geographical GPSR ad hoc protocol. Mobile Information
Systems. 3(3): 203-220.
Sarafijanovic, S. & Le Boudec, J. Y. 2004. An artificial immune system for
misbehavior detection in mobile ad-hoc networks with virtual thymus,
clustering, danger signal, and memory detectors. Artificial Immune Systems:
342-356.
Sarafijanovic, S. & Le Boudec, J. Y. 2005. An artificial immune system approach with
secondary response for misbehavior detection in mobile ad hoc networks.
Neural Networks, IEEE Transactions on. 16(5): 1076-1087.
Sidhu, D., Fu, T., Abdallah, S., Nair, R. & Coltun, R. 1993. Open shortest path first
(OSPF) routing protocol simulation. ACM SIGCOMM Computer
Communication Review. 23(4): 53-62.
Singh, S., Woo, M. & Raghavendra, C. S. 1998. Power-aware routing in mobile ad hoc
networks. Proceedings of the 4th annual ACM/IEEE international conference
on Mobile computing and networking. 181-190.
Sivakumar, R., Sinha, P. & Bharghavan, V. 1999. CEDAR: a core-extraction
distributed ad hoc routing algorithm. Selected Areas in Communications, IEEE
Journal on. 17(8): 1454-1465.
Sommerville, I. 2004. Software Engineering. International computer science series:
Addison Wesley.
Steinman, R. M. 2000. The dendritic cell advantage: New focus for immune-based
therapies. Drug News Perspect. 13(10): 581.
148
Stibor, T., Mohr, P., Timmis, J. & Eckert, C. 2005. Is negative selection appropriate
for anomaly detection? Proceedings of the 2005 conference on Genetic and
evolutionary computation. 321-328.
Su, X. & Adviser-Boppana, R. V. 2009. Integrated prevention and detection of
byzantine Attacks in mobile ad hoc networks. The University of Texas at San
Antonio. ISBN: 1109298005.
Su, X. & Boppana, R. V. 2008. Mitigating wormhole attacks using passive monitoring
in mobile ad hoc networks. Global Telecommunications Conference, 2008.
IEEE GLOBECOM 2008. IEEE. 1-5.
T Camp, J. B., V Davies. 2002. A survey of mobility models for ad hoc network
research, in Wirel Commun Mob Comput (WCMC). Special issue on Mobile
Ad Hoc Networking: Research, Trends and Applications. 5(2): 483502.
Taneja, S. & Kush, A. 2010. A Survey of routing protocols in mobile ad hoc networks.
International Journal of Innovation, Management and Technology. 1(3): 20100248.
Twycross, J. & Aickelin, U. 2005. Towards a conceptual framework for innate
immunity. Artificial Immune Systems: 112-125.
Twycross, J. & Aickelin, U. 2006. Libtissue-implementing innate immunity. IEEE
Congress on Evolutionary Computation. 499-506.
Van Phuong, T., Canh, N. T., Lee, Y. K., Lee, S. & Lee, H. 2007. Transmission timebased mechanism to detect wormhole attacks. Asia-Pacific Service Computing
Conference, The 2nd IEEE. 172-178.
von Mulert, J., Welch, I. & Seah, W. K. G. 2012. Security threats and solutions in
MANETs: A case study using AODV and SAODV. Journal of Network and
Computer Applications.
Wallenta, C., Kim, J., Bentley, P. J. & Hailes, S. 2010. Detecting interest cache
poisoning in sensor networks using an artificial immune algorithm. Applied
Intelligence. 32(1): 1-26.
Wang, D., Hu, M. & Zhi, H. 2008. A survey of secure routing in ad hoc networks.
Web-Age Information Management, 2008. WAIM'08. The Ninth International
Conference on. 482-486.
Wu, S. X. & Banzhaf, W. 2010. The use of computational intelligence in intrusion
detection systems: A review. Applied Soft Computing. 10(1): 1-35.
149
Xia, H., Jia, Z., Ju, L. & Zhu, Y. 2011. Trust management model for mobile ad hoc
network based on analytic hierarchy process and fuzzy theory. Wireless Sensor
Systems, IET. 1(4): 248-266.
Xia, H., Jia, Z., Li, X., Ju, L. & Sha, E. H. M. 2012. Trust prediction and trust-based
source routing in mobile ad hoc networks. Ad Hoc Networks.
Xie, J., Talpade, R. R., Mcauley, A. & Liu, M. 2002. AMRoute: ad hoc multicast
routing protocol. Mobile Networks and Applications. 7(6): 429-439.
Xu, K., Hong, X. & Gerla, M. 2003. Landmark routing in ad hoc networks with mobile
backbones. Journal of Parallel and Distributed Computing. 63(2): 110-122.
Yao, Z., Jiang, J., Fan, P., Cao, Z. & Li, V. O. K. 2003. A neighbor-table-based
multipath routing in ad hoc networks. Vehicular Technology Conference, 2003.
VTC 2003-Spring. The 57th IEEE Semiannual. 3: 1739-1743.
Yi, P., Dai, Z., Zhang, S. & Zhong, Y. 2005. A new routing attack in mobile ad hoc
networks. International Journal of Information Technology. 11(2): 83-94.
Yih-Chun, H. & Perrig, A. 2004. A survey of secure wireless ad hoc routing. Security
& Privacy, IEEE. 2(3): 28-39.
Zadeh, L. A. 1965. Fuzzy sets. Information and control. 8(3): 338-353.
Zadeh, L. A. 1973. Outline of a new approach to the analysis of complex systems and
decision processes. IEEE Transactions on Systems, Man and Cybernetics. 3(1):
28-44.
Zhang, X., Cheng, S., Feng, M. & Ding, W. 2004. Fuzzy logic QoS dynamic source
routing for mobile ad hoc networks. Proceedings of the 4th IEEE international
conference on Computer and Information Technology (CIT'04). 652-657.
Zhao, Y. 2005. Motion vector routing protocol: A position based routing protocol for
mobile ad hoc networks.
150
APPENDIX A
LIST OF PUBLICATIONS
[1]
of
Communication
Systems.
WILEY.
DOI: 10.1002/dac.2615.
[3]
Abdelhaq, M., Hassan, R., Ismail, M. & Israf, D. 2011. Detecting Resource
Consumption Attack over MANET using an Artificial Immune Algorithm.
Research Journal of Applied Sciences, Engineering and Technology. 3(9):
1026-1033. (Index by Scopus, SJR 0.030).
[4]
151
[5]
Abdelhaq, M., Hassan, R., Ismail, M., Alsaqour, R. & Israf, D. 2011. Detecting
Sleep Deprivation Attack over MANET Using a Danger Theory-Based
Algorithm. International Journal on New Computer Architectures and Their
Applications (IJNCAA). 1(3): 534-541.
[6]
Abdelhaq, M., Serhan, S., Alsaqour, R. & Hassan, R. 2011. A local intrusion
detection routing security over MANET network. Proceedings of International
Conference on Electrical Engineering and Informatics (ICEEI): 1-6. Bandung,
Indonesia,17-19 July 2011. DOI: 10.1109/ICEEI.2011.6021809. (Indexed by
Scopus & ISI).
152
APPENDIX B
SIMULATION SCREENSHOTS
D1
S1
D2
S2
CBR
RREQ broadcast
153
A3
D1
A2
A1
A4
A5
D2
S1
A6
A7
CBR
S2
A9
A8
A10
RCA CBRs
Figure B.2 The random distribution of ten attackers. S 1 : source node number one, D 1 :
destination node number one, S 2 : source node number two, D 2 : destination node
number two, A n : attacker number n; n: 110
154
D1
A1
A2
D2
S1
A3
S2
A4
CBR
RCA flood
Figure B.3 RCA with 200m radio range. S 1 : source node number one, D 1 : destination
node number one, S 2 : source node number two, D 2 : destination node number two, A n :
attacker number n; n: 14
155
D1
A1
A2
S1
D2
A3
A4
S2
CBR
RCA flood
Figure B.4 RCA with 400m radio range. S 1 : source node number one, D 1 : destination
node number one, S 2 : source node number two, D 2 : destination node number two, A n :
attacker number n; n: 14