By Topic

Infrastructures and algorithms for distributed anomaly-based intrusion detection in mobile ad-hoc networks

Sign In

Cookies must be enabled to login.After enabling cookies , please use refresh or reload or ctrl+f5 on the browser for the login options.

Formats Non-Member Member
$33 $13
Learn how you can qualify for the best price for this item!
Become an IEEE Member or Subscribe to
IEEE Xplore for exclusive pricing!
close button

puzzle piece

IEEE membership options for an individual and IEEE Xplore subscriptions for an organization offer the most affordable access to essential journal articles, conference papers, standards, eBooks, and eLearning courses.

Learn more about:

IEEE membership

IEEE Xplore subscriptions

3 Author(s)
J. B. D. Cabrera ; Sci. Syst. Co., Inc., Woburn, MA, USA ; C. Gutierrez ; R. K. Mehra

This paper addresses one aspect of the problem of defending mobile ad-hoc networks (MANETs) against computer attacks, namely, the development of a distributed anomaly-based intrusion detection system. In a general sense, the proposed system is a co-located sensor network, in which the monitored variable is the health of the network being monitored. A three level hierarchical system for data collection, processing and transmission is described. Local IDSs (intrusion detection systems) are attached to each node of the MANET, collecting raw data of network operation, and computing a local anomaly index measuring the difference between the current node operation and a baseline of normal operation. Anomaly indexes from nodes belonging to a cluster are periodically transmitted to a cluster head, which fuses the node indexes producing a cluster-level anomaly index. Likewise, cluster heads periodically transmit these cluster-level anomaly indexes to a manager node, which fuses the cluster-level indexes into a network-level anomaly index. Due to network mobility, cluster membership and cluster heads are time varying. The paper describes: (1) clustering algorithms to update cluster centers; (2) machine learning algorithms for computing the local anomaly indexes; (3) a statistical scheme for fusing the anomaly indexes at the cluster heads and at the manager. The statistical scheme is formally shown to increase detection accuracy under idealized assumptions. These algorithms were implemented and tested under the following conditions. Routing schemes: AODV (ad-hoc on demand distance vector routing) and OLSR (optimized link state routing); mobility patterns: random walk mobility model and reference point group mobility at various speeds; types of attacks: traffic flooding denial-of-service and black hole. For performance evaluation we determined the ROC (receiver operating characteristics) for various operational conditions at the nodes, cluster heads and manager. The overall res- - ults confirm the effectiveness of the infrastructures and algorithms described in the paper, with detection accuracy generally improving as we move up in the hierarchy, i.e. detection accuracy at the cluster level is higher than at local level, while network-level detection outperforms cluster-level detection

Published in:

MILCOM 2005 - 2005 IEEE Military Communications Conference

Date of Conference:

17-20 Oct. 2005