Anomaly-Based Intrusion Detection Systems for Mobile Ad Hoc Networks: A Practical Comprehension

1. Introduction

Ad hoc networks are the self-organizing and self-maintaining wireless networks where nodes communicate with each other in an infrastructure-less environment. The nodes with 802.11 radios are mobile and cooperate for communicating the data and control packets in a coordinated and distributed fashion. In the absence of external support for managing the network, vulnerabilities are introduced in the network. In this distributed and cooperative environment, nodes are themselves responsible for ensuring secured communication and detecting internal as well as external intrusions or penetrations.

An Intrusion Detection System (IDS) is an effective second level of defense in any network. Development of an IDS for any network involves the amalgamation of security policies, network design, types of communicating nodes, and the implementation of security mechanisms in the network. Intrusion detection systems have been classified into various types (Pietro, 2008):

• •

  Based on detection techniques:

  • ◦

    Misuse based or Pattern-based or Signature-based IDS: This IDS is suitable when the type of attack pattern is known. The IDS checks for a specific known pattern in the traffic sequence such as specific byte sequences, identified sequences of malicious instructions, etc. by matching attack signatures with its signature database (Pietro, 2008).

  • ◦

    Anomaly-based IDS: This type of IDS is best suitable for detecting zero day attacks as it identifies any anomalous behavior in the network. They use machine learning techniques to construct a genre of trustworthy activities and then judge the new activities and classify them as malicious or not using this genre. Though this approach enables anomaly-based IDS to detect previously unknown attack patterns, these systems may classify legitimate activities as malicious ones. This so transpires because the creation of an ideal model is not possible in the real world scenario (Pietro, 2008).

  • ◦

    Specification-based IDS: This type of IDS can be used where the system requirements and uses can be modeled into the atomic daemon scripts through program profiling (Pietro, 2008).

• •

  Based on application:

  • ◦

    Network-based IDS: This IDS is customized and developed for all sorts of networks based on the policies of the network (organization) in place (Pietro, 2008).

  • ◦

    Host-based IDS: This IDS is developed for any stand-alone communicating device like computers, mobile phones, etc. Anti-virus tools are an example of host-based IDS (Pietro, 2008).

• •

  Based on the architecture of IDS:

  • ◦

    Centralized: A single IDS in the network is available to detect and prevent intrusions (Pietro, 2008).

  • ◦

    Distributed: Multiple IDS are located at different locations in the network to cooperatively detect and prevent intrusions (Pietro, 2008).

  • ◦

    Hierarchical: A hierarchical structure based IDS is developed and generally applicable where the network is divided into clusters for communicating the packets (Horng, 2011).