Journal of Systems Engineering and Electronics Vol. 19, No. 4, 2008, pp.851–859
Distributed intrusion detection for mobile ad hoc networks∗ Yi Ping1,2 , Jiang Xinghao1 , Wu Yue1 & Liu Ning1 1. School of Information Security Engineering, Shanghai Jiaotong Univ., Shanghai 200030, P. R. China; 2. State Key Lab of Information Security, Graduate School of Chinese Academy of Sciences, Beijing 100039, P. R. China (Received March 10, 2007)
Abstract: Mobile ad hoc networking (MANET) has become an exciting and important technology in recent years, because of the rapid proliferation of wireless devices. Mobile ad hoc networks is highly vulnerable to attacks due to the open medium, dynamically changing network topology, cooperative algorithms, and lack of centralized monitoring and management point. The traditional way of protecting networks with firewalls and encryption software is no longer sufficient and effective for those features. A distributed intrusion detection approach based on timed automata is given. A cluster-based detection scheme is presented, where periodically a node is elected as the monitor node for a cluster. These monitor nodes can not only make local intrusion detection decisions, but also cooperatively take part in global intrusion detection. And then the timed automata is constructed by the way of manually abstracting the correct behaviours of the node according to the routing protocol of dynamic source routing (DSR). The monitor nodes can verify the behaviour of every nodes by timed automata, and validly detect real-time attacks without signatures of intrusion or trained data. Compared with the architecture where each node is its own IDS agent, the approach is much more efficient while maintaining the same level of effectiveness. Finally, the intrusion detection method is evaluated through simulation experiments.
Keywords: mobile ad hoc networks, routing protocol, security, intrusion detection, timed automata.
1. Introduction Mobile ad hoc networks are the collection of wireless computer, communicating among themselves over possible multi-hop paths, without the help of any infrastructure, such as base stations or access points[1] . Nodes in mobile ad hoc network collaboratively contribute to routing functionality by forwarding packets for each other to allow nodes to communicate beyond direct wireless transmission range, hence practically all nodes may act as both hosts and routers. Mobile ad hoc networks require no centralized administration or fixed network infrastructure and can be quickly and inexpensively set up as needed. They can thus be used in scenarios where no infrastructure exists, such as military applications, emergent operations, personal
electronic device networking, and civilian applications like an ad-hoc meeting or an ad-hoc classroom. With more and more application, security for mobile ad hoc networks becomes increasingly important. Several secure solutions for mobile ad hoc networks have been proposed by far[2-3] . But most of them are key management and authentication[4-5] , secure routing protocol[6] . Most of those are prevention techniques. The prevention methods, such as encryption and authentication, used in mobile ad hoc networks can reduce attacks, but hardly eliminate them. When nodes roam in a hostile environment with relatively poor physical protection, they have the probability of being compromised. The compromised nodes may launch attacks within the networks[7]. Encryption and authentication cannot defend against com-
* This project was supported by the National High Technology Development “863” Program of China (2006AA01Z436, 2007AA01Z452); the National Natural Science Foundation of China(60702042).
852 promised nodes, which carry the private keys. In addition, a perfect protective security solution for all practical purposes is impossible, and no matter how many intrusion prevention measures are inserted in networks, there are always some weak links that one could exploit to break in. Intrusion detection should be the second wall of defence for security in mobile ad hoc networks. This article analyzes some of the vulnerabilities, specifically discussing attacks against DSR that manipulate the routing messages. We propose a solution based on timed automata intrusion detection to detect attacks on DSR. First, we design the distributed and cooperative intrusion detection architecture, which are composed of distribute monitor nodes. Intrusion detection in mobile ad hoc networks must be carried out in a distributed fashion because of the absence of infrastructure and the centre administration. Each network monitor node runs independently and monitors all nodes in its zone to find the local intrusions. To track some moving nodes, they may exchange information with neighbouring monitors. Considering resource constraint, only some nodes in mobile ad hoc networks are selected as network monitors. We describe an algorithm in which the nodes can periodically, randomly, and fairly elect a monitor node for the entire zone. Second, we propose a timed automata-based intrusion detection system, which can detect attacks on the DSR routing protocol. In the timed automatabased intrusion detection, the correct behaviours of critical objects are manually abstracted and crafted as security specifications, and this is compared with the actual behaviour of the objects. The technique may detect previously unknown attacks, while exhibiting a low false positive rate. Network monitors trace data flow on every node and audit every forwarding packet by automata. If some node behaves in an incorrect manner, it will be found and some alarm will be sent out.
2. Related work The papers of mobile ad hoc networks security can be classified into three categories: key management,
Yi Ping, Jiang Xinghao, Wu Yue & Liu Ning secure network routing, and intrusion detection. Capkun, Buttyan, and Hubaux proposed a fully selforganized public key management system that can be used to support security of ad hoc network routing protocols[8]. Zhou and Hass first proposed threshold cryptography to securely distribute the certificate authority private key over multiple nodes to form a collective CA service[9] . Routing security has been most noted by its absence early in the discussion and research on ad hoc routing protocols. Since then several ad hoc routing protocols that include some security services have been proposed: SRP[10] , Ariadne[11] , ARAN[12] , SEAD[13] . SRP[10] assumed the existence of shared secrets between all pairs of communicating nodes and leverages this for MAC authentication, such that fake route requests are not accepted at the destination and routes set in route replies cannot be modified. Ariadne[11] obtained end-to-end authentications by one-way hash chain and MAC authentication. ARAN[12] relied on public key certificates to retain hop-by-hop authentications. SEAD[13] used elements from an one-way hash chain to provide authentication for both the sequence number and the metric in each entry. Zhang and Lee described a distributed and cooperative intrusion detection model[14] . In this model, an IDS agent runs at each mobile node and performs local data collection and local detection, whereas cooperative detection and global intrusion response can be triggered when a node reports an anomaly. The main contribution of the article is that it presents a distributed and cooperative intrusion detection architecture based on statistical anomaly detection techniques. However, the design of actual detection techniques, their performance as well as verification were not addressed in the article. Zhang and Lee described some experiments and performance in Ref. [15]. Oleg Kachirski and Ratan Guha proposed a distributed intrusion detection system based on mobile agent technology[16]. In contrast to the above architecture, the agents in [14] do not run on every node and they can be dynamically increased and decreased according to the resource of networks. Its architecture is aimed to minimize costs of network monitoring and maintaining a monolithic IDS system.
Distributed intrusion detection for mobile ad hoc networks R. S. Puttini et al proposed a distributed and modular architecture for IDS[17] , and a signatures-based approach is proposed to detect two types of intrusion. The architecture may not detect unknown attack. Yian Huang and Wenke Lee addressed a cooperative intrusion detection system for ad hoc networks[18]. In the article, a set of rules is presented to identify the type of attack or misbehaving nodes. But the author ignored the attack of modification. Bo Sun et al presented a intrusion detection agent model which utilizes a Markov chain based anomaly detection algorithm to construct the local detection engine[19] . P. Albers et al presented a general intrusion detection architecture using agent[19] . In the architecture, the agents choose to use simple network management protocol (SNMP) data located in management information bases (MIB) as the audit source. S. Bhargava and D. P. Agrawal presented the intrusion detection and intrusion response model for ad hoc networks[21]. Wang Weichao et al presented the detection of false destination sequence numbers carried in RREQ packet[22] . Subhadrabandhu D. presented a framework for misuse detection, which includes two approximation algorithms that approximate the optimal solution within a constant factor, and proved that they attain the best possible approximation ratios[23] . Chinyang Henry Tseng proposed a specification-based intrusion-detection model for ad hoc routing protocols in which network nodes are monitored for operations that violate their intended behaviour[24] .
3. Background 3.1
Overview of DSR
The dynamic source routing (DSR)[25] is an entirely on-demand ad hoc network routing protocol, which is composed of two parts: route discovery and route maintenance. In DSR, whenever a node needs to send a packet to some destination for which does not currently have a route to that destination in its route cache, the node initiates route discovery to find a route. The initiator broadcast a ROUTE REQUEST packet to its neighbours, specifying the target and a unique identifier from the initiator. Each node receives the ROUTE REQUEST, if it has recently seen
853
this request identifier from the initiator, discards the REQUEST. Otherwise, it appends its own node address to a list in the REQUEST and rebroadcasts the REQUEST. When the ROUTE REQUEST reaches its target node, the target sends a ROUTE REPLY back to the initiator of the REQUEST, including a copy of the accumulated list of addresses from the REQUEST. When the REPLY reaches the initiator of the REQUEST, it caches the new route in its route cache. The intermediate node also sends a ROUTE REPLY, if it has a route to the destination. Route maintenance is the mechanism by which a node sends a packet along a specified route to some destination detects if that route has broken. If, after a limited number of local retransmissions of the packet, a node in the route is unable to make this confirmation, it returns a ROUTE ERROR to the original source of the packet, identifying the link from itself to the next node as broken. The sender then removes this broken link from its route cache; for subsequent packets to this destination, the sender may use any other route to that destination in its cache, or it may attempt a new route discovery for that target if necessary. 3.2
Timed automata
Timed automata[26] were introduced as a formal notation to model the behaviour of real-time systems. A timed automaton is a finite automaton augmented with a finite set of clocks. The vertices of the automaton are called locations, and edges are called switches. While switches are instantaneous, time can elapse in a location. A clock can be reset to zero simultaneously with any switch. At any instant, the reading of a clock equals the time elapsed as the last time it was reset. With each switch, we associate a clock constraint and require that the switch may be taken only if the current values of the clocks satisfy this constraint. Timed automata accept timed words, that is, strings of symbols tagged with occurrence times. 3.3
Vulnerabilities and attacks for DSR
3.3.1 Modification attack DSR does not address security concerns, so it allows
854
Yi Ping, Jiang Xinghao, Wu Yue & Liu Ning
intruders to easily launch various types of attacks by modifying the route information. In DSR, some critical fields such as source address, destination address, and address list are very important and any misuse of these fields can cause DSR malfunction. An intruder may make use of the following ways against DSR. When forwarding a packet, the attacker can insert, delete, and modify the address list. Malicious nodes can cause redirection of network traffic and denial of service attacks by altering control message fields or by forwarding routing messages with falsified values. For example, there are five nodes: A, B, C, D, and E. A is an origination node and E is destination. Figure 1 illustrates the normal process when nodes receive and forward route packets. The upper line shows the process of ROUTE REQUEST and the letters indicate address list in ROUTE REQUEST. When a node receives the ROUTE REQUEST, it appends its own node address to the address list in the REQUEST and rebroadcasts the REQUEST. The lower line shows the process of ROUTE REPLY and the letters indicate address list in ROUTE REPLY.
3.3.2 Drop attack If a malicious node to join a network or compromise a legitimate node, it can silently drop some or all the data packets transmitted to it for further forwarding. We call it as drop attack. Malicious packet drop attack is a serious threat to the routing infrastructure of mobile ad hoc networks, as it is easy to launch and difficult to detect. Especially in dynamic topology of mobile ad hoc networks, it is difficult to differentiate malicious dropping packet from link broken. 3.3.3 Impersonation attack Impersonation attack occurs when a node misrepresents its identity in the network, such as by altering its IP address in outgoing packets, and is readily combined with modification attacks. Such as, the attacker C can send a lot of attacking packets to node E by impersonate node A in Fig. 1. The attacker C fills the originated address of attacking packet with address A. When node E receives attacking packets, it makes a judgment that the attacker is node A. The attacker C not only succeeds in attacking the victim, but also hides its malicious attack. 3.3.4 Fabrication attack
Fig. 1
The address list of packet when forwarding ROUTE REQUEST and replying ROUTE REPLY
Figure 2 illustrates an example of modification attack. Node C is an attacker. When node C receives ROUTE REPLY, it deletes the address of node D in address list. As a result, origination A will set up the error path “ABCE” when it receives the ROUTE REPLY. When origination A sends packets by the error path, these packets cannot get to the destination without forwarding by node D. The above modification result is in denial of service. Similarly, the attacker may alter the address list when it forwards ROUTE REQUEST or data packets. In addition, the attacker may modify the source address or destination address in a packet when it forwards the packet.
Fig. 2
Altering address list of ROUTE REPLY
The generation of false routing messages can be classified as fabrication attacks. Such attacks can be difficult to verify as invalid constructs, especially in the case of fabricated error messages that claim a neighbor cannot be contacted. DSR implement path undergoes maintenance to recover broken paths when nodes move. If the source node moves and the route is still needed, route discovery is reinitiated with a new route discovery. If the destination node or an intermediate node along with an active path moves, the node upstream of the link break broadcasts a ROUTE ERROR to all active upstream neighbors. The node also invalidates the route for this destination in its routing table. The vulnerability is that routing attacks can be launched by sending fabrication ROUTE ERROR messages. Suppose node A has a route to node E via nodes B, C, D, as shown in Fig. 1. The malicious node C can launch a denial-of-service attack against E, by continually sending route error messages to spoofing node
Distributed intrusion detection for mobile ad hoc networks D, indicating a broken link between nodes D and E. B receives the spoofed ROUTE ERROR and thinks that it came from D. B deletes its routing table entry and forwards the ROUTE ERROR message on to A, who also deletes its routing table entry. The attacker succeeds in the cut off path between A and E by fabricating the ROUTE ERROR.
4. Intrusion detection for DSR 4.1
Algorithm of voting monitor
The resources of battery power, CPU, and memory in nodes are limited, and it is not efficient to make each node a monitor node. As a result, we may select some nodes as monitors to monitor the entire networks to save networks resource. The network monitor is the node, which monitors the behavior of nodes within its monitor zone. The monitor zone is 1-hop vicinity of the monitor. The process of voting monitor should guarantee fairness and randomness. By fairness, we mean that every node should have a fair chance to serve as a monitor. Note that fairness has two components, fair election, and equal service time. We currently do not consider differentiated capability and preference and assume that every node is equally eligible. Thus, fair election implies randomness in election decision, while equal service time can be implemented by periodical fair re-election. The randomness of the election process can guarantee security. When some monitor node is compromised, it may not carry out the normal monitoring function and can launch certain attacks without being detected because it is the only node in the zone that is supposed to run the IDS, and its IDS may have been disabled already. But after a service period, another node may be selected as monitor. At that time, the intrusion will be found by the normal monitor node. The algorithm is composed of two parts, namely selection phase and maintain phase. In selection phase, the monitor is selected by competition. At first there is no monitor in networks. After a period, any node may broadcast the packet “I am a monitor” and becomes a monitor. The packet cannot be forwarded. Any node who receives the announcement becomes a
855
monitored node and cannot broadcast the announcement. When a monitor is selected, the selection phase is finished and goes to the maintain phase. In maintain phase, the monitor broadcasts the announcement periodically to keep up its monitor role. After a period, the monitor will terminate its monitor work and a new selection phase will begin. To insure fairness and randomness of selection, the predecessor does not take part in the process of selection, unless it is the only node in the entire zone. The monitors or nodes may move out of the zone due to dynamic topology. If any node does receive the announcement packet overtime, it can start selection process and declare that it is a monitor. Figure 3 shows monitors and their monitor zones. When two monitors move next to each other over an extended period of time, one whose ID is bigger will lose its role as monitor. As a result, whenever a monitor hears announcement messages from another monitor, it sets some time to expire. When expired, it will check if it is still in contention with the monitor, by checking if the monitor is still in its neighborhood. If so, it compares its own ID with that of the other monitors. The one with a smaller ID will continue to act as monitor. The one with a bigger ID gives up its role as monitor.
Fig. 3
4.2
Monitor and its monitor zone
Timed automata for DSR
A monitor employs the timed automata for detecting incorrect behavior in a node. It maintains the timed automata for each data flow in each node. In DSR, a node can receive and forward four types of packets, i.e. ROUTE REQUEST, ROUTE REPLY, ROUTE ERROR, and DATA. We first address how to deal when the node receives four packets. Figure 4 shows the constraints of timed automata. The start state is S1. When the node receives a
856
Yi Ping, Jiang Xinghao, Wu Yue & Liu Ning
packet, automata go to state S2. If the packet is ROUTE REQUEST, automata go to state S3 and clock t1 set to be 0. We set up the specified time T 1, and think that the node has discarded the packet if the node does not forward or reply the packet within T 1. If it is the target of the ROUTE REQUEST, the node returns a ROUTE REPLY to the initiator of the ROUTE REQUEST within T 1. Automata go to state S4 and check the packet of ROUTE REPLY according to routing protocol. If some fields of ROUTE REPLY are maliciously modified, automata go to state alarm1 and alert modification alarm. Otherwise, automata go to terminal state S7. If this node has recently seen the same ROUTE REQUEST, it discards the packet and automata go to terminal state S7. If the node forwards the ROUTE REQUEST within T 1, automata
Fig.4
go to state S5 and check the forwarded packet according to routing protocol. If some fields of ROUTE REQUEST are maliciously modified, automata go to state alarm1 and alert modification alarm. Otherwise, automata go to terminal state S7. If the packet has not been forwarded after a specified time T 1, the monitor inquires neighbor and automata go to state S6. At the same time, clock t2 set to be 0. Sometimes, the node may move out of the zone of the monitor and the monitor can not hear that it has forwarded the packet. Therefore, the monitor inquires neighboring monitors whether it has forwarded the packet. If neighbor has received the packet, he will send it to the monitor for comparison. We set up a specified time T 2, and think that neighbor nodes receive the packet if some neighbors answer the enquiry within T 2. If clock t2 > T 2 and no neighbor provide answers, it implies no neigh-
The timed automata when received packet
Distributed intrusion detection for mobile ad hoc networks bor has received the packet. Automata go to state Alarm2 and alert the alarm of drop packet. If neighbor answers the enquiry within T 2, automata go to state S8. Then if the packet is ROUTE REPLY, automata go to state S4. Otherwise automata go to state S5. We use the same automata process for the other three kinds of packets, i.e. ROUTE REPLY, ROUTE ERROR, DATA, as they are disposed at the same process. The start state is S1. When the node receives a packet, automata go to state S2. If the packet is one of the three packets, automata go to state S9 and clock t1 set to be 0. If the node is the destination of the packet, automata go to terminal state S12. If the node forwards the packet within T 1, automata go to state S10 and check the forwarded packet according to routing protocol. If some fields of the packet are maliciously modified, automata go to state alarm1 and alert modification alarm. Otherwise, automata go to terminal state S12. When the node does not forward the packet within a period time T 1, the monitor will inquire its neighbouring monitors. If some neighbour received the packet, it will sendit to the monitor for comparison within T 2. Then Automata go to state S11 and clock t2 gets set to 0. Otherwise, if no neighbour provides answer for the enquiry within T 2, automate go to state Alarm2. Figure 4 shows the process when a node receives a packet. Figure 5 illustrates the process when a node sends a packet. And the packet is not heard by the monitor, otherwise the process is as shown in Fig. 4. The start state is S1. When the node mon-
Fig.5
857
itors that the monitored node receives a packet, automata go to state S2. Then, if the packet is an originated packet, automata go to state S4. The monitor compares the source address of packet with the address of the node, which has sent the packet. If two addresses are maching, automata go to terminal state. Otherwise, automata go to state Alarm3 and alert impersonation alarm. Alarm 3 implies that the node is impersonating another node by misrepresenting its identity. If the packet is a forwarded packet, automata go to state S3 and clock t3 gets set to 0. S3, indicating that the packet has been received before, but the monitor has not received the packet. Therefore, if one of the neighbouring nodes inquires the packet, we can infer that the packet is indeed received and forwarded. The monitor sends the packet messages to neighbour and automata go to terminal state. If it does not receive enquiry after a specified time T 3, the monitor will inquire neighbour for the packet. If some neighbour received the packet, it will answer the monitor within T 2. Automata go to terminal state. If no neighbour answers in a specified time T 2, it implies that no neighbour received the packet once. Automata go to Alarm4, and the node may fabricate a packet.
5. Experimental results To study the feasibility of our intrusion detection approach, we have implemented intrusion detection in a network simulator and conducted a series of experiments to evaluate its effectiveness. We use the wireless networks simulation software, from network simulator
The timed automata when node sends a packet
858 ns-2. It includes simulation for wireless ad-hoc network infrastructure, popular wireless ad-hoc routing protocols (DSR, DSDV, AODV and others), and mobility scenario and traffic pattern generator. Our simulations are based on a 1 500 by 300 meter flat space, scattered with 50 wireless nodes. The nodes move from a random starting point to a random destination with a speed that is randomly chosen. The speed is uniformly distributed between 0– 20 m/s. As the destination is reached, another random destination is targeted after a pause time. The MAC layer used for the simulations is IEEE 802.11, which is included in the ns-2. The transport protocol used for our simulations is user datagram protocol (UDP). Each data packet is 512 bytes long. The traffic files are generated such that the source and destination pairs are randomly spread over the entire network. The number of sources is 10 in the network. The scenario files determine the mobility of the nodes. The mobility model used random way point model in a rectangular field. Duration of the simulations is 900 s. The simulations have been performed with malicious node created in the network and DSR protocol integrated with our intrusion detection model. By the analysis of Section 2, we simulate 4 types of attack. Attack 1 is illegal modification in which the intruder illegally inserts, deletes, and modifies the address list when the intruder forwards a packet. Attack 2 is to drop packets in which the intruder does not forward any packets and only receives packets. Attack 3 is impersonation in which the intruder impersonate another node send some packets, such as ROUTE REQUEST, ROUTE REPLY, and ROUTE ERROR. Attack 4 is fabrication in which the intruder forges some packets which are not sent by the initiator. Table 1 shows the detection rates and false alarms rates. The detection rate of attack 3 is the highest. The main reason may be that the monitor directly compares the source address of packet with the address of the node, which has sent the packet and the monitor does not require the information from other monitors. The detection rate of attack 2 is lowest. The main reason may be that the monitor has to get information from the other monitors before it makes a judgment. From the simulation results, we can draw a conclusion that
Yi Ping, Jiang Xinghao, Wu Yue & Liu Ning this approach can detect intrusion efficiently with low false alarm rate. Table 1
Detection performance(/%)
Attack type
Detection rate
False alarm rate
Attack 1
91.3
2.9
Attack 2
83.7
5.7
Attack 3
97.4
1.3
Attack 4
88.5
7.2
6. Conclusions We propose a timed automata-based intrusion detection system that can detect attacks on the DSR. In the system, first we propose an algorithm of selecting monitor for the distributed monitoring of all nodes in networks. Second, we manually abstract the correct behaviors of the node according to DSR and compose the timed automata of node behavior. Intrusions, which usually cause node to behave in an incorrect manner, can be detected without trained date or signature. Meanwhile, our IDS can detect unknown intrusion with fewer false alarms.
References [1] Corson S, Macker J. Mobile ad hoc networking (MANET): routing protocol performance issues and evaluation considerations. RF C 2501, 1999. [2] Yi Ping, Jiang Yichuan, Zhong Yiping, et al. A survey of security for mobile ad hoc networks. ACTA Electronica Sinica, 2005, 33(5): 893–899. [3] Yi Ping, Zou Futai, Jiang Xinghao, et al. Muti-agent cooperative intrusion response in mobile ad hoc networks. Journal of Systems Engineering and Electronics, 2007,18(4): 785–794. [4] Ramkumar M, Memon N. An efficient key predistribution scheme for ad hoc network security. IEEE Journal on Selected Areas of Communication, 2005, 23(3): 611–621. [5] Zhu Sencun, Xu Shouhuai, Setia Sanjeev, et al. LHAP: a lightweight network access control protocol for ad hoc networks. Ad Hoc Networks, 2006, 4(5): 567–585. [6] Argyroudis P G, O’Mahony D. Secure routing for mobile ad hoc networks. IEEE Communications Surveys & Tutorials, 2005, 7(3): 2–21. [7] Yi Ping, Jiang Yichuan, Zhong Yiping, et al. A survey of secure routing for mobile ad hoc networks. Computer
Distributed intrusion detection for mobile ad hoc networks
859 in mobile ad hoc networks. Proc. of 12th International
Science, 2005, 32(6): 37–40. [8] Capkun Srdjan, Nuttyan Levente, Hubaux Jean-Pierre. Self-organized public-key management for mobile ad hoc
Conference on Computer Communications and Networks, Dallas, Texas, 2003: 25–31.
networks. IEEE Trans. on Mobile Computing, 2003, 2(1).
[20] Albers P, Camp O, Percher J M, et al. Security in Ad
[9] Zhou Lidong, Haas Zygmunt J. Securing ad hoc networks.
hoc networks: a general intrusion detection architecture
IEEE Networks Special Issue on Network Security, 1999. [10] Papadimitratos P, Haas Z. Secure routing for mobile ad hoc networks. Proc. of the SCS communication Networks and Distributed Systems Modeling and Simulation Conference,
enhancing trust based approaches. Proc. of the First International Workshop on Wireless Information Systems, 2002. [21] Bhargava S, Agrawal D P. Security enhancements in AODV protocol for wireless ad hoc networks. Vehicular Technol-
San Antonio, TX, 2002. [11] Hu Yih-chun, Perrig Adrian, Johnson David B. Ariadne: A secure on-demand routing protocol for ad hoc networks.
ogy Conference, 2001, 4: 2143–2147. [22] Wang Weichao, Lu Yi, Bhargava Bharat K. On vulnera-
Proc. of the MobiCom, Atlanta, Georgia, U SA, 2002.
bility and protection of ad hoc on-demand distance vector
[12] Kimaya Sanzgiri, Bridget Dahill, Brian Neil Levine, et
protocol. Proc. of 10th IEEE International Conference on
al. A secure routing protocol for ad hoc networks. Proc. of IEEE International Conference on Network Protocols,
Telecommunication, 2003. [23] Subhadrabandhu D, Sarkar S, Anjum F. A framework for misuse detection in ad hoc networks—Part I. IEEE Journal
2002. [13] Hu Yih-chun, Johnson David B, et al. SEAD: secure efficient distance vector routing for mobile wireless ad hoc networks. Ad Hoc Networks, 2003, 1(1): 175–192. [14] Zhang Yongguang, Lee Wenke.
Intrusion detection in
Wireless ad-hoc networks.
of the Sixth Interna-
Proc.
tional Conference on Mobile Computing and Networking,
on Selected Areas in Communications, 2006, 24(2): 274– 289. [24] Tseng Chinyang,
Henry Songtao,
Balasubramanyam
Poornima, et al. A specification-based intrusion detection model for OLSR. RAID, LNCS 3858, 2006: 330–350. [25] Johnson
David
B, Maltz
David
A, Hu
Yih-chun.
The dynamic source routing protocol for mobile ad
Boston, MA, 2000. [15] Zhang Yongguang, Lee Wenke. Intrusion detection tech-
hoc networks (DSR). , 19
niques for mobile wireless networks. Mobile Networks and
July http://www.ietf.org/internet-drafts/draft-ietf-manet-
Applications, 2003.
dsr-10.txt, 2004.
[16] Kachirski Oleg, Guha Ratan.
Intrusion detection using
mobile agents in wireless ad hoc networks. IEEE Workshop
[26] Alur R, Dill D L. A theory of timed automata. Theoretical Computer Science, 1994, 126:183–235.
on Knowledge Media Networking, 2002.
chitecture for distributed IDS in MANET. Proc. of the
Yi Ping was born in 1969. He received the B. S. degree in computer science and engineering from the
International Conference on Computational Science and
PLA University of Science and Technology, Nanjing,
Its Applications, Springer Verlag, LNCS 2668, San Diego,
in 1991. He received the M. S. degree in computer science from Tongji University, Shanghai, in 2003. He
[17] Puttini R S, Percher J-M, M´e L, et al. A modular ar-
USA, 2003. [18] Huang Yi-an, Lee Wenke. A cooperative intrusion detection system for ad hoc networks. ACM Workshop on Security of Ad Hoc and Sensor Networks, Fairfax, VA, USA, 2003. [19] Sun B, Wu K, Pooch U W. Routing anomaly detection
received the Ph. D. degree in computing and information technology, from Fudan University, China in 2005. Now he is an associate professor. His research interests include mobile computing and ad hoc networks security. E-mail:
[email protected]
