International Journal of Computer & Organization Trends –Volume 3 Issue 11 – Dec 2013
SEIDS-A Secure Enhanced Intrusion Detection System with DS in MANETS J J N H Chakradhar Mtech(Cse) Gudlavalleru Engg. College
Y.Adi Lakshmi Associate Professor Cse Dept Gudlavalleru Engg College
Abstract – Mobile Ad-hoc Networking (MANET) is
receiving growing attention as a means of providing communications in environments where there is no existing infrastructure. The wireless ad-hoc network is particularly vulnerable due to its features of open medium, dynamic changing topology, cooperative algorithms, lack of centralized monitoring and management point, and lack of a clear line of defense. Many of the intrusion detection techniques developed on a fixed wired network are not applicable in this new environment. Every single node works as both a transmitter and a receiver. Nodes communicate directly with each other when they are both within the same communication range. Otherwise, they rely on their neighbors to relay messages. A MANET is a possible solution for this need to quickly establish communications in a mobile and transient environment. However, the open medium and wide distribution of nodes make MANET vulnerable to malicious attackers. To adjust to such trend, we strongly believe that it is vital to address its potential security issues. In this system, we propose a new rule based intrusion-detection with digital signature system SEIDS, will be created. SEIDS will secure enhance intrusion detection and respond to intrusion with an enhanced group key distribution scheme. Keywords – A C K , Message, Digital Signature.
I. INTRODUCTION The nature of mobility for mobile networks needs additional mechanisms for providing security. These vulnerabilities do not exist in a fixed wired network. Therefore, the traditional way of protecting networks with firewalls and encryption software is no longer sufficient. We need to develop new architecture and mechanisms to protect the wire-less networks and mobile computing applications. Hence, in this paper, we discuss how to identify the intrusion after an anomaly is reported. Simple rules are applied to identify the intruder information and detect the type of the attack. A node called the Monitor node carries the identification process. This node overhears the channel and detects the misbehavior nodes. There may be more than one monitor
ISSN: 2249-2593
node in the whole network. Periodically the monitor nodes are elected in the network. A simple definition of routing is "learning how to get from here to there." In some cases, the term routing is used in a very strict sense to refer only to the process of obtaining and distributing information, but not to the process of using that information to actually get from one place to. Since it is difficult to grasp the usefulness of information that is acquired but never used, we employ the term routing to refer in general to all the things that are done to discover and advertise paths from here to there and to actually move packets from here to there when necessary. The distinction between routing and forwarding is preserved in the formal discussion of the functions performed by OSI end systems and intermediate systems, in which context the distinction is meaningful.
Routing is the act of moving information across an inter network from a source to a destination. Along the way, at least one intermediate node typically is encountered. Routing is the process of finding a path from a source to every destination in the network. It allows users in the remote part of the world to get to information and services provided by computers anywhere in the world. Routing is accomplished by means of routing protocols that establish mutually consistent routing tables in every router in the Network. When a packet is received by the router or is forwarded by the host, they both must make decisions as to how to send the packet. To do this, the router and the host consult a database for information known as the routing table. This database is stored in RAM so that the lookup process is optimized. As the packet is forwarded through various routers towards its destination, each router makes a decision so as to proceed by consulting its routing table. A routing table consists at least two columns: the first is address of a destination point or destination Network , and the second is the address of the next element that is the next hop in the "best" path to its destination. When a packet arrives at a router the router or the switch controller consults the routing table to decide the next hop for the packet. Not only the local information but the global information is also consulted for routing. But global information is hard to collect,
http://www.ijcotjournal.org
Page 511
International Journal of Computer & Organization Trends –Volume 3 Issue 11 – Dec 2013
subject to frequent changes and is voluminous. The information in the routing table can be generated in one of two ways. The first method is to manually configure the routing table with routes for each destination network. This is known as static routing. The second method for generating routing table information is to make use of dynamic routing protocol. A dynamic routing protocol consists of routing tables that are built and maintained automatically through and ongoing communication between routers. Periodically or on demand, messages are exchanged between routers for the purpose of updating information kept in their routing tables. The Network forwards IP packets from a source to a destination using destination address field in the packet header. A router is defined as a host that has an interface on more than one Network. Every router along the path has routing table with at least two fields: A Network number and the interface on which to send packets with that network number. The router reads the destination address from an incoming packet's header and uses the routing table to forward it to appropriate interface. By introducing routers with interfaces on more than one cluster, we can connect clusters into larger ones. By induction we can compose arbitrarily large networks in this fashion, as long as there are routers with interfaces on each subcomponent of the Network. Within the mobile unplanned network (MANET), certain mobile hosts with wireless network interfaces form a temporary network without having the aid of almost any fixed infrastructure or centralized administration. A MANET is named an infrastructure less network because the mobile nodes in the network dynamically create paths among themselves to transmit packets temporarily. To put it differently a MANET serves as a self-configuring network that's formed automatically using a collection of mobile nodes without having the help of a restricted infrastructure or centralized management. Each node is equipped with the use of a instant transmitter and receiver, which allow them communicate with other nodes within this radio communication range. To ensure that a node to forward a packet to the node that is undoubtedly from its radio range, the cooperation of other nodes in the network is called for, this is known as multi-hop communication. Therefore, each node must act as both a normal along with a router concurrently. The network topology frequently changes due to the mobility of mobile nodes simply because they move within, move into, or leave relating to the network. Within the MANET, nodes within each other‟ s wireless transmission ranges can communicate directly; however, nodes outside each other‟ s range really need to trust other nodes to relay messages. Thus, a multi-hop scenario occurs, where several intermediate hosts relay the
ISSN: 2249-2593
packets sent through source host before they reach the destination host. Every node functions being a router. The success of communication highly is determined by other nodes‟ teamwork. Because MANET has features such as an open medium, dynamic changing topology, and the lack of a centralized monitoring and management point, many of the intrusion detection techniques developed for a fixed wired network are not applicable in MANET. Zhang [2] gives a specific design of intrusion detection and response mechanisms for MANET. Marti [5] proposes two mechanisms: watchdog and path rater, which improve throughput in MANET in the presence of nodes that agree to forward packets but fail to do so. In MANET, cooperation is very important to support the basic functions of the network so the token-based mechanism, the credit-based mechanism, and the reputation-based mechanism were developed to enforce cooperation.
II.
LITERATURE SURVEY
Prevention methods like authentication and cryptography techniques alone are not able to provide the security. Intrusion detection can be classified in two classes [3] based on data collection mechanisms and based on detection techniques Based on detection techniques: there are three board categories: misuse detection, anomaly detection, and specification-based detection MITIGATING ROUTING MISBEHAVIOR IN MOBILE AD HOC NETWORKS Two techniques are used to improve throughput in an adhoc network in the presenceof nodes that agree to forward packets but fail to do so.Detect misbehaving nodes. One solution to misbehaving nodes is to forward packets only through nodes that share a priori trust relationship. Another solution to misbehaving [16] nodes is to isolate these nodes from actual routing protocols for the network. The techniques used are to detect the presence of nodes that agree to forward packets but fail to do so. Here watchdog is used, that identifies misbehaving nodes and a pathrater that helps routing protocols avoid these nodes. The two techniques increases throughput and the overhead transmission. A Network Intrusion Detection System[1] is used to monitor networks for attacks or intrusions. The network is also a pathway for intrusion. It follows the signature based IDs methodology for ascertaining attacks. Its an alert device in the event of attacks directed towards an entire network. It successfully captures packets transmitted over the entire network by promiscuous mode of operation and compares the traffic with crafted attack signatures. It also incorporates functionality to detect installed adapters on the system, selecting adapter for capture, pause capture and clearing captured data is shown in the screen shots. To introduce new approach to the preceding approaches of intrusion detection system EAACK was introduced
http://www.ijcotjournal.org
Page 512
International Journal of Computer & Organization Trends –Volume 3 Issue 11 – Dec 2013
using digital signatures and RSA concepts. EAACK is an acknowledgement based IDS. EAACK requires all acknowledgement packets to be digitally signed before they are sent out, and verified until they are accepted. Those nodes in the network which cause dysfunction in network and damage the other nodes are called Misbehaving or Critical nodes. Mobile Ad hoc networks (MANETs) like other wireless networks are liable to active and passive attacks. In the passive attacks, only eavesdropping of data happens; while in the active attacks, operations such as repetition, changing, or deletion of data are necessitated. Certain nodes in MANETS can produce attacks which cause congestion, distribution of incorrect routing information, services preventing proper operation, or disable them [7]. Those nodes in the network which perform active attacks to damage other nodes and cause disconnection in the network are called Malicious or Compromised nodes. Also, those nodes which do not send the received packets (used for storing battery life span to be used for their own communications) are called Selfish nodes [8],[9]. A Selfish node impacts the normal network operations by not participating in routing protocols or by not sending packets. A Malicious node may use the routing protocols to announce that it has the shortest route to the destined node for sending the packets. In this situation, this node receives the packets and does not send them. This operation is called "blackhole" attack. In the literature, three intrusion detection techniques are used. The first tech-nique is anomaly-based intrusion detection which profiles the symptoms of nor-mal behaviors of the system such as usage frequency of commands, CPU usage for programs, and the like. It detects intrusions as anomalies, i.e. deviations from the normal behaviours. Various techniques have been applied for anomaly detec-tion, e.g. statistical approaches and artificial intelligence techniques like data min-ing and neural networks. Defining normal behaviour is a major challenge. Normal behavior can change over time and intrusion detection systems must be kept up to date. False positives – the normal activities which are detected as anomalies by IDS – can be high in anomaly-based detection. On the other hand, it is capable of detecting previously unknown attacks. This is very important in an environment where new attacks and new vulnerabilities of systems are announced constantly. 1) Watchdog: Marti et al. [17] proposed a scheme named Watchdog that aims to improve the throughput of network with the presence of malicious nodes. In fact, the Watchdog scheme is consisted of two parts, namely, Watchdog and Pathrater. Watchdog serves as an IDS for MANETs. It is responsible for detecting malicious node misbehaviors in the network. Watchdog detects malicious misbehaviors by promiscuously listening to its next hop’s transmission. If a Watchdog node overhears that its next node fails to forward the packet within a certain period of time, it increases its failure counter. Watchdog is capable of
ISSN: 2249-2593
detecting malicious nodes rather than links. Node A first forwards Packet 1 to node B, and then, node B forwards Packet 1 to node C. When node C receives Packet 1, as it is two hops away from node A, node C is obliged to generate a TWOACK packet, which contains reverse route from node A to node C, and sends it back to node A. The retrieval of this TWOACK packet at node A indicates that the transmission of Packet 1 from node A to node C is successful. Otherwise, if this TWOACK packet is not received in a predefined time period, both nodes B and C are reported malicious. The same process applies to every three consecutive nodes along the rest of the route. Drawbacks:
Existing work fails to detect misbehaving nodes with the presence of false misbehavior report. The false misbehavior report can be generated by malicious attackers to falsely report innocent nodes as malicious. Easy to attack digital signature of nodes. Doesn’t handle new type of malicious attacks.
III. PROPOSED SYSTEM IDSs on MANETs use a variety of intrusion detection methods. The most commonly proposed intrusion detection method to date is specification-based detection. This can detect attacks against routing protocols with a low rate of false positives. However, it cannot detect some kind of attacks, such as DoS attacks. There are also some anomaly-based detection systems implemented in MANETs. Unfortunately, mobility of MANETs increases the rate of false positives in these systems. There have been few signature-based IDSs developed for MANETs and little research on signatures of attacks against MANETs. Updating attack signa-tures is an important problem for this approach. Some systems use promiscuous monitoring of wireless communications in the neighborhood of nodes. Since nodes in MANETs have only local data, a distributed and cooperative IDS architecture is generally used to provide a more informed detection approach. In this architecture, every node has its local IDS agent and communicates with other nodes’ agents to exchange information, to reach decisions and respond. Other IDS architectures in MANETs are stand-alone and hierarchical IDSs [1]. In stand-alone IDS architectures, every node in the network has an IDS agent and de-tects attacks on its own without collaborating with other nodes.
http://www.ijcotjournal.org
Page 513
International Journal of Computer & Organization Trends –Volume 3 Issue 11 – Dec 2013
Example Illustration:
Encryption Process:
Node A, B, C are three consecutive nodes (triplet) from source node S to destination D generated in the route discovery phase. When A sends packet to B, B forwards it to C. It is unclear to A whether C receives the packet successfully or not. This type of ambiguity exists even whenever there are no misbehaving nodes. The 2ACK scheme requires an explicit acknowledgement to be sent by C to notify A of its successful reception of the data packet. When node C receives the data packet successfully it sends out 2 ACK packet over two hops to A, in the opposite direction of the routing path, with the Id of the corresponding packet. Here node A monitors the link B C. Here A is the 2ACK packet receiver or the Observing node and C is the 2ACK packet sender. This type of transmission stakes place for every set of triplets along the route expect for the first router form the source and the last router before the destination. The 2ACK scheme focuses on the link misbehaviour and it can only work in the managed MANETs as compared to open MANETs.
The steps of encryption are given as follows[1]: 1. The plain text in the block size of 32 bits is read from input 2. The plaintext is transformed into ASCII code and then modified into binary form. 3. Then shift-left operation is performed on this 32-bit data 10 times. 4. The modified plain text is then X-ORed with a secondary key of 32 bits and it is made sure the result is also of 32 bits. 5. A random number is chosen from a given range and transformed into 16-bit binary number. 6. A sequence symbol is randomly selected from a preselected range. 7. The selected symbol is transformed into ASCII code and then finally into binary number of 8 bits. 8. The 8-bit binary code is then appended to the 16-bit binary number resulted from random number and the result is stored as the Base Key or Primary Key. 9. Then the key is applied on the modified plaintext with the help of a binary operation. 10. In the next step, a new key is generated from a different random number and different sequence symbol. 11. Each time a new key is generated, it is applied using a different binary operation on resulted cipher text of previous step and a modified cipher text is obtained.
IMPROVED DIGITAL SIGNATURE: Node signature scheme was first introduced in
1985. In this signature scheme the public key is used for encryption and signature verification. For each user, there is a secret key x, and public keys α, β, p where: β = αx mod p The public keys α, β, p are published in a public file and is known to everybody while the secret key x is kept secret. αx = β mod p --------> DLP equation (α,β,p) - public key x - private key The above things are performed once by the signer. p is a large prime. Choose a random number k such that 0<k<p-1 and gcd(k,p-1)=1. γ=αk mod p Signature of m is a pair (γ, δ) where 0<= γ, δ<=p-1, chosen such that αm=βγγδ mod p ------- (1) αm=(αx)γ(αk)δ mod p =αxγ αkδ mod p =αxγ+kδ mod p m=( xγ+kδ ) mod (p-1) δ=(m-xγ)k-1 mod (p-1)
ISSN: 2249-2593
http://www.ijcotjournal.org
Page 514
International Journal of Computer & Organization Trends –Volume 3 Issue 11 – Dec 2013
Decryption Process: The decryption process in this algorithm is exactly the reverse of the encryption method as it is based on symmetric cryptography. 1. The cipher text is read from the receiver’s side. 2. The corresponding key is read from the centraldatabase server. 3. Similar binary operations are performed on the cipher text based upon the nature of the key. 4. Steps 1 to 3 are performed 10 times to get the modified cipher text. 5. Reverse Binary operation is done on the modified cipher text with the help of Secondary Key. 6. Binary shift-right operation is performed ten times on the result of previous step. 7. Steps 1 to 6 are repeated till the end of cipher text and output in binary form is stored. 8. The binary output is altered first to ASCII code and finally to the plaintext.
Fig2: Dynamic generation of sensor nodes
RESULTS:
Fig3: Sending Message from source to destination.
Digital Signature is verified
Fig1: Enter Number of Sensor Nodes
Packets sending from source to destination in encrypted format
ISSN: 2249-2593
http://www.ijcotjournal.org
Page 515
International Journal of Computer & Organization Trends â&#x20AC;&#x201C;Volume 3 Issue 11 â&#x20AC;&#x201C; Dec 2013
Message sent display
Secured ack from Destination to source
Identifying malicious nodes and then delete it from the network
Received ack message Dynamic updating digital signature parameters
Packet delivery ratio
Sender ack status
Destination node ack status with message No of nodes
ISSN: 2249-2593
Malicious Message Encryption Decryption Detect(ms) Send(ms) Time Time
Existing
6
8
34
13
16
Proposed
8
3
21
7
9
http://www.ijcotjournal.org
Page 516
International Journal of Computer & Organization Trends –Volume 3 Issue 11 – Dec 2013
40 35 30 25 20 15 10 5 0
Existing Proposed
e e s s) s) m m de Ti Ti t(m d(m o n n c fn e ti o tio en et oo D eS cryp cry p N s g u sa io En De ic es al M M
V. CONCLUSION AND FUTURE SCOPE
[6] S. Marti, T. J. Giuli, K. Lai, and M. Baker, “Mitigating Routing Misbehavior in Mobile Ad Hoc Networks," Proceedings of the 6th Annual International Conference on Mobile Computing and Networking (MobiCom'00), pp. 255-265, August 2000. [7] S. Buchegger and J. Le Boudec, “Performance Analysis of the CONFIDANT Protocol (Cooperation Of Nodes - Fairness In Dynamic Ad-hoc NeTworks)," Proceedings of the 3rd ACM International Symposium on Mobile Ad Hoc Networking and Computing (MobiHoc'02), pp. 226-336, June 2002. [8] P. Michiardi and R. Molva, \Core: A Collaborative Reputation mechanism to enforce node cooperation in Mobile Ad Hoc Networks," Communication and Multimedia Security Conference (CMS'02), September 2002.
As the existing approach had defects ,a new scheme can be proposed where a key management scheme for group based MANETs in which a group leader can generate, distribute, update and revoke keys in its group and a provable secure routing protocol. Packet dropping attack has always been a major threat to show that protocol establishes a route secure from different kind of attacks. propose a new rule based intrusion-detection with digital signature system SEIDS, will be created. SEIDS will secure enhance intrusion detection and respond to intrusion with an enhanced group key distribution scheme.
REFERENCES [1] S. Makki, N. Pissinou, H. Huang, “The Security issues in the adhoc on demand distance vector routing protocol (AODV)”, In Proc. of the 2004 International Conference on Security and Management (SAM’04), pp.427-432 [2] N. Komninos, D. Vergados and C. Douligeris, “Detecting Unauthorized and Compromised Nodes in Mobile Ad-Hoc Networks”, Journal in Ad Hoc Networks, Elsevier Press, Vol. 5, (3), April 2007, pp. 289-298. [3] Kashan Samad, Ejaz Ahmed, Waqar Mehmood: MultiLayer Cluster-based Intrusion Detection Architecture for Mobile Ad Hoc Networks using Mobile Agents , Hi Optical Networks and Enabling Technology (HONET), Islamabad, Pakistan, Dec 28-31, 2004. [4] P. Albers, O. Camp, J. Percher, B. Jouga, L. M, and R. Puttini, “Security in Ad Hoc Networks: a General Intrusion Detection Architecture Enhancing Trust Based Approaches," Proceedings of the 1st International Workshop on Wireless Informatio n Systems (WIS2002), pp. 1-12, April 2002. [5] O. Kachirski and R. Guha, “Effective Intrusion Detection Using Multiple Sensors in Wireless Ad Hoc Networks,"Proceedings of the 36th Annual Hawaii International Conference on System Sciences (HICSS'03), p. 57.1, January 2003.
ISSN: 2249-2593
http://www.ijcotjournal.org
Page 517