Intrusion detection in mobile ad hoc networks
MetadataShow full item record
Most existent protocols, applications and services for Mobile Ad Hoc NET-works (MANETs) assume a cooperative and friendly network environment and do not accommodate security. Therefore, Intrusion Detection Systems (IDSs), serving as the second line of defense for information systems, are indispensable for MANETs with high security requirements. Central to the research described in this dissertation is the proposed two-level nonoverlapping Zone-Based Intrusion Detection System (ZBIDS) which ﬁt the unique requirement of MANETs. First, in the low-level of ZBIDS, I propose an intrusion detection agent model and present a Markov Chain based anomaly detection algorithm. Local and trusted communication activities such as routing table related features are periodically selected and formatted with minimum errors from raw data. A Markov Chain based normal proﬁle is then constructed to capture the temporal dependency among network activities and accommodate the dynamic nature of raw data. A local detection model aggregating abnormal behaviors is constructed to reﬂect recent subject activities in order to achieve low false positive ratio and high detection ratio. A set of criteria to tune parameters is developed and the performance trade-off is discussed. Second, I present a nonoverlapping Zone-based framework to manage locally generated alerts from a wider area. An alert data model conformed to the Intrusion Detection Message Exchange Format (IDMEF) is presented to suit the needs of MANETs. Furthermore, an aggregation algorithm utilizing attribute similarity from alert messages is proposed to integrate security related information from a wider area. In this way, the gateway nodes of ZBIDS can reduce false positive ratio, improve detection ratio, and present more diagnostic information about the attack. Third, MANET IDSs need to consider mobility impact and adjust their behavior dynamically. I ﬁrst demonstrate that nodes?? moving speed, a commonly used parameter in tuning IDS performance, is not an effective metric for the performance measurement of MANET IDSs. A new feature -link change rate -is then proposed as a uniﬁed metric for local MANET IDSs to adaptively select normal proﬁles . Different mobility models are utilized to evaluate the performance of the adaptive mechanisms.
Sun, Bo (2003). Intrusion detection in mobile ad hoc networks. Doctoral dissertation, Texas A&M University. Texas A&M University. Available electronically from