International Journal of Computer Information Systems, Vol. 3, No.

6, 2011

Association Ruled Based Energy Efficient Intrusion Detection Algorithm for MANET
V. Anjana Devi

St.Josephs College of Engineering

anjanadevi_anne@yahoo.com
Abstract:

Dr. R. S. Bhuvaneswaran Anna University bhuvan@annauniv.edu unauthorized or unwanted activity on that system or network. Extensive research has been done in this field but there are no efficient IDS systems. These systems usually monitor user, system and networklevel activities continuously, and normally have a centralized decision making entity. Because of these central decision making, some inherent properties of wireless networks there is no efficient IDS system. At present time there are IDS but mostly wired networks based and rules/signs based. These systems cant answer on demanding environments and every day practice where we can see new and new types of attacks uncovered by current signs present in IDS, so its efficiency is dependent on frequency of signs/rules discovering and updates. In this paper, we will concentrate our discussion on ad hoc wireless networks. Ad hoc wireless network is a collection of mobile nodes that establish a communication protocol dynamically. The nodes may join the network at any time and communicate with entire network via the neighboring nodes. There are no base stations, and each member of such a network is responsible for accurate routing of information, and takes part in routing decisions.[4] Due to arbitrary physical configuration of an ad hoc network, there is no central decision making mechanism of any kind rather, the network employs distributed mechanisms of coordination and management. What really makes a difference between fixed wired and mobile wireless networks is the fact that mobile nodes have a very limited bandwidth and battery power. Network packet monitoring is performed at gateways in a fixed network, but a concept of a gateway in a wireless network is very vague, depending on the type of network and routing algorithms used. Efficient host-based monitoring requires large amounts of CPU processing power, and hence is energy consuming. Our proposed IDS system takes into account the above considerations to provide a lightweight, low-overhead mechanism based on mobile security agent concept. Essentially, an agent is a small intelligent active object that travels across network to be executed on a certain host, and then it returns with results back to the originator. All the decisions, including network traversing, are left to an

Wireless networks are vulnerable in many ways eavesdropping, unauthorized access, denial of service, illegal use attacks. These problems and concerns are one of main obstacles for wider usage of wireless networks. In this paper solution to overcome this obstacle is presented. In this paper we propose a distributed intrusion detection system for ad hoc wireless networks based on mobile agent technology. By efficiently merging audit data from multiple network layer, we analyze the entire ad hoc wireless network for intrusions and try to inhibit intrusion attempts. In contrast to many intrusion detection systems designed for wired networks, we implement an efficient and bandwidth-conscious framework and reduced power consumption. The main goal of any IDS is to detect all intrusions and only intrusions in an efficient way. Correctness of an IDS is measured by the rate of false positives and false negatives over all events. .A false positive warning occurs when a non-intrusive event is labeled intrusive. A false negative warning occurs when an intrusive activity is not detected so it is important develop an IDSs that can process these signatures efficiently. Here we use AODV as a base and try to improve the performance or modify it according to our requirements, and we use Frequent pattern Growth algorithm for efficient detection.
KEYWORDS :

Intrusion Detection System (IDS), Mobile ad hoc network (MANET), Ad Hoc On-Demand Distance Vector (AODV), Local Intrusion Detection System (LIDS) I. Introduction: Intrusion detection is one of key techniques behind protecting a network against intruders. An Intrusion Detection System is a system that tries to detect and alert on attempted intrusions into a system or network, where an intrusion is considered to be any

December Issue

Page 89 of 95

ISSN 2229 5208

International Journal of Computer Information Systems, Vol. 3, No. 6, 2011 agent. Agents are dynamically updateable, lightweight, have a specific functionality and can be viewed as components of flexible and dynamically configurable IDS. These qualities make them a choice for security framework in bandwidth and computation sensitive. The advantage of our approach is to restrict computation-intensive analysis of overall network security state to a few key nodes. These nodes are dynamically elected, and overall network security is not entirely dependent on any particular node. Vulnerability to attacks: Hierarchical structures attackers the opportunity to harm the IDS by cutting off a control branch or even by tacking out the root command.

1.3 Mobile agent advantages.

Instead of using static components in a IDS, mobile agent based systems has the following advantages. Overcoming Network Latency - Since agents operate directly on the host, where an action has to be taken, and their response is faster than hierarchical systems, where the actions are taken by central coordinator. Reducing Network Load - Instead of sending audit data from sensors to central stations, sending the code of the agent may cause little network load, because audit data may become huge amounts. Autonomous Execution - In order to prevent letting the whole network undefended, when a part of the IDS fails, agents can work autonomously even if their creators dont operate anymore. Platform Independence - Where the agents run on the agent platform, they are independent from the platform of the host. Dynamic Adaptation - The system can be reconfigured at run-time because of the agents dynamic behavior. Static Adaptation - When a new attack signature has to be added to the IDS, the algorithm of the agents can be updated without restarting the whole system. Scalability - Mobile agents reduce the computational load on the system by dividing it different hosts.
2. ARCHITECTURE

1.1 IDS requirements.

In [10], authors have defined a set of desirable characteristics for IDS by focusing two themes: functional and performance requirements. In the following section, we summarize some of these characteristics.

1.1.1

Functional requirements

IDS must continuously monitor and report intrusion. IDS should have a very low false alarm rate. IDS should provide enough information to repair the system in the case of detection of intrusion. Notice that this characteristic depend on IDS goals. In fact, many IDS solutions focus only on alerting administrators without suggesting any corrective actions. IDS must detect and react to distributed and coordinated attacks. This detection feature is one of the most difficult because it needs a huge distributed amount of information in addition to the hard task of Synchronization between different hosts. The IDS should be adaptive to network topology and configuration changes.

1.1.2

Performance requirements.

Intrusion should be detected in real-time as it should be reported immediately in order to minimize network damage. The IDS must be scalable in order to handle additional computational and communication loads.

1.2

Limitations.

The data mining techniques is used in intrusion detection module in order to improve the efficiency and effectiveness of the MANET nodes. It if found out that among all the data mining intrusion detection techniques [9], clustering-based intrusion detection is the most potential one because of its ability to detect new attacks. Many traditional intrusion detection techniques are limited with collection of training data from real networks and manually labeled as normal or abnormal. It is very time consuming and expensive to manually collect pure normal data and classify data in wireless networks. The association algorithm such as FP Growth Algorithm is used which can be utilized to achieve anomaly detection of routing and other attacks in MANET. The proposed IDS architecture is shown in fig. 1 is shown below

The most common IDS shortcomings include the following: High number of false positives. Lack of efficiency: usually when an IDS is faced with a very large number of events in the network, it slows down a system or drops network packets.

December Issue

Page 90 of 95

ISSN 2229 5208

International Journal of Computer Information Systems, Vol. 3, No. 6, 2011 determine independently that the network is under attack and initiates the alert management. 2.1.3. Global Intrusion Detection When the support and confidence level is low or intrusion evidence is weak and inconclusive in the detecting node then it can make collaborative decision by gathering intelligence from its surrounding nodes via protected communication channel. The decision of cooperative detection is based on the majority of the voting of the received reports indicating an intrusion or anomaly. 2.1.4. Alert Management The alert management receives the alert from the local detection or co-operative detection depending on the strength of intrusion evidence. It collects them in the alert cache for t seconds. If there are more abnormal predictions than the normal predictions then it is regarded as abnormal and with adequate information an alarm is generated to inform that an intrusive activity is in the system. 2.2. ANOMALY DETECTION MECHANISM IN MANET The anomaly detection system creates a normal base line profile of the normal activities of the network traffic activity[1]. Then, the activity that diverges from the baseline is treated as a possible intrusion. The main objective is to collect set of useful features from the traffic to make the decision whether the sampled traffic is normal or abnormal. Some of the advantages of anomaly detection system are it can detect new and unknown attacks, it can detect insider attacks; and it is very difficult for the attacker to carry out the attacks without setting off an alarm. The process of anomaly detection comprises of two phases: training and testing. The basic framework for normal behavior is constructing by collecting the noticeable characteristic from the audit data. The data mining technique is used for building Intrusion detection system to describe the anomaly detection mechanism. 2.2.1. Construction of normal Dataset The data obtained from the audit data sources mostly contains local routing information, data and control

2.1. ARCHITECTURE OF GLOBAL INTRUSION DETECTION

Fig . 1
2.1.1. Local Data Collection The local data collection module collects data streams of various information, traffic patterns and attack traces from physical, MAC and network layers via association module. The data streams can include system, user and mobile nodes communication activities within the radio range. 2.1.2. Local Detection The local detection module consists of anomaly detection engine. The local detection module analyzes the local data traces gathered by the local data collection module for evidence of anomalies. A normal profile is an aggregated rule set of multiple training data segments. New and updated detection rules across ad-hoc networks are obtained from normal profile. The normal profile consists of normal behavior patterns that are computed using trace data from a training process where all activities are normal. During testing process, normal and abnormal activities are processed and any deviations from the normal profiles are recorded. The anomaly detection distinguishes normalcy from anomalies as of the deviation data by comparing with the test data profiles with the expected normal profiles. If any detection rules deviate beyond a threshold interval and if it has a very high accuracy rate it can

December Issue

Page 91 of 95

ISSN 2229 5208

International Journal of Computer Information Systems, Vol. 3, No. 6, 2011 information from MAC and routing layers along with other traffic statistics. The training of data may entail modeling the allotment of a given set of training points or characteristic network traffic samples. The few assumptions have to be done so that the traced traffic from the network contains no attack traffic: The normal traffic occurs more frequently than the attack traffic. The attack traffic samples are statistically different from the normal connections. the help of cross layer interaction, the routing forwards possible route choices to MAC and MAC decides the possible routes using congestion and IDS information as well as returns the result to the routing. The selection of correct combination of layers in the design of cross layer IDS is very critical to detect attacks targeted at or sourced from any layers rapidly. It is optimal to incorporate MAC layer in the cross layer design for IDS as DoS attack is better detected at this layer. The routing protocol layer and MAC layer is chosen for detecting routing attacks in an efficient way. Data with behavioral information consisting of layer specific information are collected from multiple layers and forward it to data analysis module which is located in an optimal location. This cross layer technique incorporating IDS leads to an escalating detection rate in the number of malicious behavior of nodes increasing the true positive and reducing false positives in the MANET. It also alleviates the congestion which can adapt to changing network and traffic characteristics. In order to evade congestion and reroute traffic, MAC and routing layers have to cooperate with each other with the IDS in order to avoid insertion of malicious nodes in the new routes. The physical layer collects various types of communication activities including remote access and logons, user activities, data traffics and attack traces. MAC contains information regarding congestion and interference. The detection mechanism for misbehaving nodes interacts with routing layer for the detection process as MAC layers also help in detection of certain routing attacks. MAC also interacts with the physical layer to determine the quality of suggested path. By combining cross layer features, attacks between the layers inconsistency can be detected. Furthermore, these schemes provide a comprehensive detection mechanism for all the layers i.e attacks originating from any layers can be detected with better detection accuracy. 3.2. AGENTS: For efficient intrusion detection, we have used cross layer techniques in IDS. Generally, routing is considered in a routing layer and medium access in MAC layer whereas power control and rate control are sometimes considered in a PHY and sometimes in a MAC layer. If there is no cross layer inter action then the routing can select between several routes and have no information about congestion or malicious nodes. As a result, it selects a congested route or it selects a route that includes malicious nodes. With Information Gathering Agent (IGA):Examining logs in detail. IDA is aimed to detect intrusions by scanning marks left by the intruder, who is actually in the mark stage. The MLSI, which stands for Mark Left by Suspected. Tracing Agent: Finds the source of the attack and prevent it from further attack.

Since, two assumptions are used; the attacks will appear as outliers in the feature space resulting in detection of the attacks by analyzing and identifying anomalies in the data set. 2.2.2. Feature construction For feature construction, an unsupervised method is used to construct the feature set. The clustering algorithm[2] is used to construct features from the audit data. The feature set is created by using the audit data and most common feature set are selected as essential feature set which has weight not smaller than the minimum threshold. A set of considerable features should be obtained from the incoming traffic that differentiates the normal data from the intrusive data. Few and semantic information is captured which results in better detection performance and saves computation time. In case of feature construction, the traffic related features as well as non-traffic related features which represent routing conditions are collected. Some of the features are used for detecting DoS attacks and attacks that manipulate routing protocol. The number of data packets received is used to detect unusual level of data traffic which may indicate a DoS attack based on a data traffic flood. III METHODOLOGY 3.1. CROSS LAYER TECHNIQUES

December Issue

Page 92 of 95

ISSN 2229 5208

International Journal of Computer Information Systems, Vol. 3, No. 6, 2011

Fig . 2
3.3. Ad hoc On-Demand Distance Vector (AODV) Ad hoc On-Demand Distance Vector, AODV, is a distance vector routing protocol that is reactive[8]. The reactive property of the routing protocol implies that is only requests a route when it needs one and does not require that the mobile nodes maintain routes to destinations that are not communicating. AODV guarantees loop-free routes by using sequence numbers that indicates how new, or fresh, a route is. AODV require each node to maintain a routing table containing one route entry for each destination that note is communicating with. Each route entry keep track of certain fields. Some of these fields are; .Destination IP address: The IP address of the destination for which a route is supplied. Destination Sequence Number: The destination sequence number associated to the route Next Hop : Either the destination itself or an intermediate node designated to forward packets to the destination Hop Count: The number of hops from the originator IP Address to the Destination IP Address Lifetime: The time in milliseconds for which nodes receiving the RREP. Routing Flags: The state of the route; up (valid), down (not valid) or in repair . 3.3.1 Route Discovery Whenever a source node desires a route to a destination node for which it does not already have a route, it broadcasts a rote request (RREQ) message to

Fig. 3
all its neighbors. The neighbors updated their information for the source and create reverse route entries for the source node in their routing tables. A neighbor receiving a RREQ may send a route reply (RREP)if it is either the destination or if it has an unexpired route to the destination. If any of these two cases is satisfied, the neighbor unicasts a RREP back to the source. Along the path back to the destination, intermediate nodes that receive the RREP create the two cases mentioned is satisfied, the neighbor rebroadcasts (forwards) the RREQ. Each mobile node keeps cache where it stores the source IP address and ID of the received RREQs during the last PATH_DISCOVERY_TIME second. If mobile nodes receive another RREQ with the same source IP address &RREQ ID during this period, it is discarded. Hence, duplicated RREQs are prevented & not forwarded. When searching for a root to the destination node, the source node uses the expanding ring search technique to prevent unnecessary network-wide dissemination of RREQs. This is done by controlling the value of the time to live(TTL) field in the IP header. The first RREQ message sent by the source has TTL =TTL-START. The value of TTL defines the maximal number of hops a RREQ can move through the mobile Ad hoc network, i.e., it

December Issue

Page 93 of 95

ISSN 2229 5208

International Journal of Computer Information Systems, Vol. 3, No. 6, 2011 decides how for the RREQ is broadcasted. In other words, it implies that the RREQ which is broadcasted by the source, is received only by mobile nodes TTL hops away from the source(and of course all mobile nodes less than TTL hops away from the source).Besides setting the TTL, the timeout for receiving a RREP is also set. If the RREQ times out without reception of a corresponding RREP, the source broadcasts the RREQ again. This time TTL is incremented by TTL-INCREMENT, i.e., The TTL of the second RREQ message is TTLSTART+ TTLINCREMENT. This continues until a RREP is received or until TTL reaches TTL_THRESHOLD. If TTL reaches TTL_THREHHOLD a RREQ is sent with TTL=NET_DIAMETER, which disseminate the RREQ widely, throughout the MANET. A RREQ that is broadcasted with TTL=NET_DIAMETER is referred to as a network wide search. If a source node does a network wide search and still does not receive a RREP, it may try again to find a route to the destination node, up to a maximum of RREQ_RETRIES times. 3.3.2 Route Maintenance: When a link in a route breaks, the node upstream of the break invalidates all its routes that use the broken link. Then, the node broadcasts a route error (RERR) message to it neighbors (TTL is set to 1). The RERR message contains the IP address of each destination which has become unreachable due to the link break. Upon reception of a RERR message, a node searches its routing table to see if it has only route to the unreachable destination(s) which use the source of the RERR as the next hop. If such routes exist, they are invalidated and the node broadcasts a new RERR message to its neighbors. This process continues until the source receives a RERR message. The source invalidates the listed routes as previously described and reinitiates the route discovery process if needed. NEXT HOP Node Algorithm to detect : The pseudo code for the proposed solution is as follows: Step 1: Repeat step2 & 3 for all neighboring nodes I= 1 to n Step 2: Send RREQ to node I Step 3: Get RREP from node I Step 4: Repeat through step5 for all RREPs J=1 to k Check whether any repeat-node present in RREPs. Step 5: If yes , choose the RREP with repeat-node as the route. EXIT. Step6: If no repeat-node, call NEXTNODE function for each RREP which returns the neighbors details in next-hop. Step 7: For each next hop information check whether the neighboring nodes of S present or not. Step 8 : If yes choose that route. Step 9: If no goto step1. 3.4. ASSOCIATION MODULE FP Growth algorithm allows detection Procedure mine(h id) Step 1: For h rec in (select header id, item, count from header where header id = h id) Step 2: If h rec:count minsup then Step 3:Output long pattern: (h rec:item, postfix) using header postfix ; Step 4:New header generate new header id ; Step 5: For each n node from node located on paths upwards from h rec:item-s, having sidelink = Y Step 6: n:count sum of counts of leaves ; Step 7: n:sidelink Y ; Step 8: If (new header, n:item) exists in header then Step 9: Add n:count to header row identified by (new header, n:item) Step 10: Else insert (new header; n:item; n:count) into header; Step 11:For each n node from node not located on paths upwards from h rec:item-s, having sidelink = Y and item < h rec:item Step 12: n:sidelink N ; Step 13: mine(new header) ; 3.5. POWER CONSUMPTION The proposed Intrusion Detection System (IDS) is built on a mobile agent framework. It is a non monolithic system and employs several sensor types that perform specific certain functions, such as: Network monitoring: Only certain nodes will have sensor agents for network packet monitoring, since we are interested in preserving total computational power and battery power of mobile hosts. Host monitoring: Every node on the mobile ad hoc network will be monitored internally by a hostmonitoring agent. This includes monitoring systemlevel and application-level activities. Decision-making: Every node will decide on the intrusion threat level on a host-level basis. Certain nodes will collect intrusion information and make collective decisions about network level intrusions. Action: Every node will have an action module that is responsible for resolving intrusion situation on a host (such as locking-out a node, killing a process, etc). Each module represents a lightweight mobile agent with certain functionality, making a total

efficient

December Issue

Page 94 of 95

ISSN 2229 5208

International Journal of Computer Information Systems, Vol. 3, No. 6, 2011 network load smaller by separating the functional tasks into categories and dedicating an agent to a specific purpose. This way, the workload of a proposed IDS system is distributed among the nodes to minimize the power consumption and IDS related processing time by all nodes. 4. CONCLUSIONS Thus this paper discuss about the algorithm to minimize power consumption and reduce the bandwidth consumption in distributed MANET environment. Optimal route maintenance is achieved by neighboring node algorithm this help in choosing a secure path over the insecure network. The FP Growth algorithm allows efficient detection of intruder in wireless environment, thus reducing the no of false positives and improves the overall efficiency of the network. Neighboring node algorithm allows to find legitimate user and stores their data for future reference thus avoiding redundant storage of user. The implementation of this work will enhance the devices performance. 5. REFERENCES [1] V. Anjana Devi and R. S Bhuvaneswaran, Anomaly based Cross Layer Intrusion Detection System For MANET, International Journal of Network Security and its Applications, Vol.3, Number 5, pp 243-256,2011 [2] V. Anjana Devi and R. S. Bhuvaneswaran, Agent based Cross Layer Intrusion Detection System for MANET, 4th International Confernece CNSA2011, Springer CCIS 196, pp. 427-440,2011. [3] Hong Ding and Xiaomei Xu,"Real-Time Cooperation Intrusion Detection System For Manets", Ist International Conference On Wireless, Mobile And Multimedia Networks, Pp.1-4, 2006. [4] Karygiannis. A, Antonakakis. E And Apostolopoulos. A, "Detecting Critical Nodes For Manet Intrusion Detection Systems", Second International Workshop On Security, Privacy and Trust In Pervasive and Ubiquitous Computing, Pp.915, 2006. [5] N. Ye, X. Li, Et.Al. Probabilistic Techniques For Intrusion Detection Based On Computer Audit Data. IEEE Transactions On Systems, Man, And Cybernetics, Pp. 266-274, 2001. [6] S. Bo, W. Kui, U.W. Pooch. Towards Adaptive Intrusion Detection In Mobile Ad Hoc Networks. Ieee Global Telecommunications Conference, Pp. 35513555, 2004. [7]Shaping Sql-Based Frequent Pattern Miningalgorithmscsaba IstvAn SidlO1 and AndrAs LukAcs2 2007. [8] C.E. Perkins, S.R. Das , And E. Royer, Ad-Hoc On Demand Distance Vector (Aodv),August 2000. [9] C. Krugel and T. Toth. Applying mobile agent technology to intrusion detection. In ICSE Workshop on Software Engineering and Mobility, 2001. [10] W. Jansen, P. Mell, T. Karygiannis, and D. Marks. "Applying mobile agents to intrusion detection and response". Technical report, NIST Interim Report - 6416, October 1999.

December Issue

Page 95 of 95

ISSN 2229 5208