A framework for intrusion detection systems by social network analysis methods in ad hoc networks

Social network analysis (SNA), originally introduced to provide a mathematical framework for analyzing human interactions and economic relationships, has recently been successfully applied to characterizing information propagation in wireless networks. In this paper, we introduce a SNA method as a new approach to build an intrusion detection system (SN-IDS) in mobile ad hoc networks. The SN-IDS utilizes social relations as metrics-of-interest for anomaly detections, which is different from most traditional IDS approaches. The social system can capture and represent similar network statistics as those used in data mining based IDSs. To construct proper social networks, we first investigate ad hoc MAC and network layer data attributes and select relevant social feature sets; then we build up a set of socio-matrices based on these features. Social analysis methods are applied to these matrices to detect suspicious activities and behaviors of mobile nodes. The detection results can be based on single or multi-relation rules. Finally, we analyze the performance of this SN-IDS under different simulated mobility conditions and traffic patterns. NS-2 simulation results show that this SN-IDS system can effectively detect common attacks with high detection rates and low false alarm rates. Furthermore, it has clear advantages over the conventional association rule based data mining IDS in terms of computation and system complexity. Copyright © 2009 John Wiley & Sons, Ltd.

[1]  T.R. Coffman,et al.  Pattern classification in social network analysis: a case study , 2004, 2004 IEEE Aerospace Conference Proceedings (IEEE Cat. No.04TH8720).

[2]  Hector Garcia-Molina,et al.  DHT Routing Using Social Links , 2004, IPTPS.

[3]  P. Bonacich Factoring and weighting approaches to status scores and clique identification , 1972 .

[4]  Nei Kato,et al.  Detecting Blackhole Attack on AODV-based Mobile Ad Hoc Networks by Dynamic Learning Method , 2007, Int. J. Netw. Secur..

[5]  Philip S. Yu,et al.  Online generation of association rules , 1998, Proceedings 14th International Conference on Data Engineering.

[6]  Salvatore J. Stolfo,et al.  Data Mining Approaches for Intrusion Detection , 1998, USENIX Security Symposium.

[7]  Leonard M. Freeman,et al.  A set of measures of centrality based upon betweenness , 1977 .

[8]  Jingsha He,et al.  A Distributed Intrusion Detection Scheme for Mobile Ad Hoc Networks , 2007, 31st Annual International Computer Software and Applications Conference (COMPSAC 2007).

[9]  Mohsen Jamali,et al.  Different Aspects of Social Network Analysis , 2006, 2006 IEEE/WIC/ACM International Conference on Web Intelligence (WI 2006 Main Conference Proceedings)(WI'06).

[10]  Julita Vassileva,et al.  TRIBLER: a social‐based peer‐to‐peer system , 2008, IPTPS.

[11]  Jeehyeon Na,et al.  Gateway discovery and routing in ad hoc networks with NAT-based Internet connectivity , 2004, IEEE 60th Vehicular Technology Conference, 2004. VTC2004-Fall. 2004.

[12]  Kang G. Shin,et al.  Detecting SYN flooding attacks , 2002, Proceedings.Twenty-First Annual Joint Conference of the IEEE Computer and Communications Societies.

[13]  Peter Mell,et al.  Mobile Agent Attack Resistant Distributed Hierarchical Intrusion Detection Systems , 1999, Recent Advances in Intrusion Detection.

[14]  Ramakrishnan Srikant,et al.  Fast algorithms for mining association rules , 1998, VLDB 1998.

[15]  Ramakrishnan Srikant,et al.  Fast Algorithms for Mining Association Rules in Large Databases , 1994, VLDB.

[16]  David J. Marchette,et al.  Scan Statistics on Enron Graphs , 2005, Comput. Math. Organ. Theory.

[17]  T.R. Coffman,et al.  Dynamic classification of groups through social network analysis and HMMs , 2004, 2004 IEEE Aerospace Conference Proceedings (IEEE Cat. No.04TH8720).

[18]  Heikki Mannila,et al.  Discovery of Frequent Episodes in Event Sequences , 1997, Data Mining and Knowledge Discovery.

[19]  Amitabh Mishra,et al.  Collaborative security architecture for black hole attack prevention in mobile ad hoc networks , 2003, Radio and Wireless Conference, 2003. RAWCON '03. Proceedings.

[20]  P. Branch,et al.  Validation of the Random Waypoint Mobility Model Through a Real World Mobility Trace , 2005, TENCON 2005 - 2005 IEEE Region 10 Conference.

[21]  Haitao Liu,et al.  Temporal Analysis of Routing Activity for Anomaly Detection in Ad hoc Networks , 2006, 2006 IEEE International Conference on Mobile Ad Hoc and Sensor Systems.

[22]  Ahmed Helmy,et al.  On Nodal Encounter Patterns in Wireless LAN Traces , 2010, IEEE Transactions on Mobile Computing.

[23]  Duncan J. Watts,et al.  Collective dynamics of ‘small-world’ networks , 1998, Nature.

[24]  Steffen Staab,et al.  Remindin': semantic query routing in peer-to-peer networks based on social metaphors , 2004, WWW '04.

[25]  Calvin Ko,et al.  Challenges in intrusion detection for wireless ad-hoc networks , 2003, 2003 Symposium on Applications and the Internet Workshops, 2003. Proceedings..

[26]  Shaozhi Ye,et al.  Davis social links: integrating social networks with internet routing , 2007, LSAD '07.

[27]  Richard A. Kemmerer,et al.  State Transition Analysis: A Rule-Based Intrusion Detection Approach , 1995, IEEE Trans. Software Eng..

[28]  Yu Liu,et al.  Network vulnerability assessment using Bayesian networks , 2005, SPIE Defense + Commercial Sensing.

[29]  Peter V. Marsden,et al.  Egocentric and sociocentric measures of network centrality , 2002, Soc. Networks.

[30]  L. Freeman,et al.  Centrality in valued graphs: A measure of betweenness based on network flow , 1991 .

[31]  Jun Wang,et al.  TRIBLER: a social‐based peer‐to‐peer system , 2008, IPTPS.

[32]  Udo W. Pooch,et al.  Detecting black-hole attack in mobile ad hoc networks , 2003 .

[33]  Miguel Castro,et al.  Defending against eclipse attacks on overlay networks , 2004, EW 11.

[34]  Hannes Hartenstein,et al.  Defending the Sybil attack in P2P networks: taxonomy, challenges, and a proposal for self-registration , 2006, First International Conference on Availability, Reliability and Security (ARES'06).

[35]  Philip S. Yu,et al.  Cross-feature analysis for detecting ad-hoc routing anomalies , 2003, 23rd International Conference on Distributed Computing Systems, 2003. Proceedings..

[36]  I.D. Chakeres,et al.  The utility of hello messages for determining link connectivity , 2002, The 5th International Symposium on Wireless Personal Multimedia Communications.

[37]  Wenke Lee,et al.  A cooperative intrusion detection system for ad hoc networks , 2003, SASN '03.

[38]  Johannes Gehrke,et al.  MAFIA: a maximal frequent itemset algorithm for transactional databases , 2001, Proceedings 17th International Conference on Data Engineering.