MAC layer anomaly detection in ad hoc networks

It is evident that traditional end-to-end intrusion detection mechanisms developed on wireless local area networks (WLANs) and wired networks are no longer sufficient for breach investigation in ad hoc networks. Most existing intrusion detection techniques for ad hoc networks are proposed on the network layer. In general, these techniques have difficulty to localize attack source, and can not respond to attacks promptly. In this paper, we investigate the use of MAC layer traffic data to characterize normal behaviors in the neighborhood of a mobile node, and to detect misbehaving nodes through MAC layer anomalies. In particular, we evaluate and select a set of features from MAC layer to profile normal behaviors of mobile nodes, and then we apply cross-feature analysis on feature vectors constructed from training data according to the proposed feature set. We are able to reliably detect MAC layer anomalies, some of which may be in fact caused by misbehavior of network layer, since most routing attacks directly impact MAC layer operations. We validate our work through ns-2 simulations. Experimental results show the effectiveness of our method.

[1]  Rohit Negi,et al.  DoS analysis of reservation based MAC protocols , 2005, IEEE International Conference on Communications, 2005. ICC 2005. 2005.

[2]  Elizabeth M. Belding-Royer,et al.  A secure routing protocol for ad hoc networks , 2002, 10th IEEE International Conference on Network Protocols, 2002. Proceedings..

[3]  Karl N. Levitt,et al.  A specification-based intrusion detection system for AODV , 2003, SASN '03.

[4]  William W. Cohen Fast Effective Rule Induction , 1995, ICML.

[5]  Yih-Chun Hu,et al.  Rushing attacks and defense in wireless ad hoc network routing protocols , 2003, WiSe '03.

[6]  David A. Maltz,et al.  A performance comparison of multi-hop wireless ad hoc network routing protocols , 1998, MobiCom '98.

[7]  Yih-Chun Hu,et al.  Packet leashes: a defense against wormhole attacks in wireless networks , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[8]  Rakesh Agarwal,et al.  Fast Algorithms for Mining Association Rules , 1994, VLDB 1994.

[9]  Yih-Chun Hu Packet Leashes : A Defense against Wormhole Attacks in Wireless Ad Hoc Networks , 2001 .

[10]  J. Ross Quinlan,et al.  C4.5: Programs for Machine Learning , 1992 .

[11]  Philip S. Yu,et al.  Cross-feature analysis for detecting ad-hoc routing anomalies , 2003, 23rd International Conference on Distributed Computing Systems, 2003. Proceedings..

[12]  N. Asokan,et al.  Securing ad hoc routing protocols , 2002, WiSE '02.

[13]  G. G. Stokes "J." , 1890, The New Yale Book of Quotations.

[14]  O. Kachirski,et al.  Intrusion detection using mobile agents in wireless ad hoc networks , 2002, Proceedings. IEEE Workshop on Knowledge Media Networking.

[15]  John S. Baras,et al.  Detection and prevention of MAC layer misbehavior in ad hoc networks , 2004, SASN '04.

[16]  Dharma P. Agrawal,et al.  SVM-based intrusion detection system for wireless ad hoc networks , 2003, 2003 IEEE 58th Vehicular Technology Conference. VTC 2003-Fall (IEEE Cat. No.03CH37484).

[17]  Frank Kargl,et al.  Securing ad hoc routing protocols , 2004 .

[18]  Mary Baker,et al.  Mitigating routing misbehavior in mobile ad hoc networks , 2000, MobiCom '00.

[19]  Jim Binkley,et al.  Authenticated Ad Hoc Routing at the Link Layer for Mobile Systems , 2001, Wirel. Networks.

[20]  Wenke Lee,et al.  A cooperative intrusion detection system for ad hoc networks , 2003, SASN '03.

[21]  Johannes Gehrke,et al.  MAFIA: a maximal frequent itemset algorithm for transactional databases , 2001, Proceedings 17th International Conference on Data Engineering.

[22]  Reza Curtmola,et al.  Mitigating Byzantine Attacks in Ad Hoc Wireless Networks , 2004 .

[23]  Jean-Yves Le Boudec,et al.  Performance analysis of the CONFIDANT protocol , 2002, MobiHoc '02.