MAC layer anomaly detection in ad hoc networks

It is evident that traditional end-to-end intrusion detection mechanisms developed on wireless local area networks (WLANs) and wired networks are no longer sufficient for breach investigation in ad hoc networks. Most existing intrusion detection techniques for ad hoc networks are proposed on the network layer. In general, these techniques have difficulty to localize attack source, and can not respond to attacks promptly. In this paper, we investigate the use of MAC layer traffic data to characterize normal behaviors in the neighborhood of a mobile node, and to detect misbehaving nodes through MAC layer anomalies. In particular, we evaluate and select a set of features from MAC layer to profile normal behaviors of mobile nodes, and then we apply cross-feature analysis on feature vectors constructed from training data according to the proposed feature set. We are able to reliably detect MAC layer anomalies, some of which may be in fact caused by misbehavior of network layer, since most routing attacks directly impact MAC layer operations. We validate our work through ns-2 simulations. Experimental results show the effectiveness of our method.