scispace - formally typeset
Search or ask a question
Journal ArticleDOI

A model of data forwarding in MANETs for lightweight detection of malicious packet dropping

Leovigildo Sánchez-Casado1, Gabriel Maciá-Fernández1, Pedro García-Teodoro1, Roberto Magán-Carrión1
University of Granada1
20 Jul 2015-Computer Networks (Elsevier North-Holland, Inc.)-Vol. 87, Iss: 87, pp 44-58
TL;DR: This work introduces a model of data forwarding in MANETs which is used for recognizing malicious packet dropping behaviors and proposes an anomaly-based IDS system based on an enhanced windowing method to carry out the collection and analysis of selected cross-layer features.
About: This article is published in Computer Networks.The article was published on 2015-07-20 and is currently open access. It has received 27 citations till now. The article focuses on the topics: Network packet.

Summary (5 min read)

Jump to: [1. Introduction][2. Related Work][2.1. ACK-based Schemes][2.2. Reputation-based Schemes][2.3. Detection-based Schemes][2.4. Discussion of Related Work][3. Model for the Forwarding Process in MANETs][4. Malicious Packet Dropping Detection][4.1. Attack Model and Scenario Description][4.2. Overview of the Detection Approach][4.3. Parameters Estimation][4.4. Enhanced Windowing for Collecting Features][4.5. Complexity][4.6. Summary of the Detection Approach][5. Implementing the Packet Dropping Detection Scheme][6. Performance Evaluation][6.1. Experimental Environment][6.2. Detection Results][6.2.1. Influence of Window Size][6.2.2. Influence of Mobility][6.2.3. Influence of Channel Error Probability][6.2.4. Influence of Number of Malicious Nodes] and [6.2.5. Discussion and Comparison of Detection Results]

1. Introduction

  • Wireless networks have considerably evolved in the last years, leading to the appearance of different related technologies, architectures and applications [1].
  • One of the architectures that have attracted much attention, especially by the research community, are the so called Mobile Ad hoc NETworks .
  • Malicious nodes drop received data or control messages instead of relaying them, thus affecting the traffic in the network [5].
  • There are different types of dropping attacks, depending on the particular strategy adopted by the attacker [6].
  • The analytical model of the forwarding process which is used as the basis for their detection proposal is presented in Section 3.

2.1. ACK-based Schemes

  • Here, nodes in the network communicate with their neighbors to explicitly request acknowledgments and confirm the reception of sent packets.
  • These two schemes fail when any two-hop neighbors do not cooperate.
  • Besides, to reduce the routing overhead, authors present in [12] an improvement of their scheme called 2ACK, where only a portion of the packets are acknowledged.
  • Nodes use 3hop ACK packets to acknowledge TC messages, while HELLO rep packets advertise two-hop neighbors to a requesting MultiPoint Relay (MPR) node.
  • The collected information is afterwards used as the basis for an accusation-based collaborative mechanism for node isolation.

2.2. Reputation-based Schemes

  • The basic idea behind these techniques is that each node first generates an opinion with respect to others.
  • A trust manager sends and receives alarm messages, informing about detected adversaries.
  • Finally, a path manager is responsible for launching an appropriate response.
  • The authors in [17] propose Friends and Foes, a scheme to punish selfish nodes.
  • The concept of inner-circle consistence was adopted in [18] to identify forged route replies and prevent packet dropping attacks.

2.3. Detection-based Schemes

  • Marti et al. [19] proposed a system called Watchdog, where a monitor node compares the packets that it sends with the overheard packets forwarded by the next hop.
  • Classifiers like Naı̈ve-Bayes, RIPPER or C4.5 are then used for the detection.
  • They perform the intrusion detection in application, routing and MAC layers.
  • Other authors also propose dynamic adaptations in their works, like those in [24, 25].
  • The authors in [28] incorporate a Bayesian filter into the standard watchdog implementation in order to reduce the number of false positives.

3. Model for the Forwarding Process in MANETs

  • The model considers different legitimate circumstances in communications (collisions, channel errors or mobility) as well as malicious behaviors, and allows inferring how they all may affect the performance of the overall retransmission procedure.
  • If all of the previous events occur, the node tries to forward the packet.
  • To do this, two subsequent actions are taken.
  • Let us term this event as RTS event, and its associated probability PRTS .
  • All these circumstances cause messages to be lost and CTS packets not to be received, thus leading to an RTS retransmission.

4. Malicious Packet Dropping Detection

  • A new detection methodology for packet dropping in MANETs is explained.
  • First, the authors describe the attack model and the underlying scenario.
  • Second, the authors detail the proposed detection approach.
  • Next, the authors provide details about parameters estimation and suggest a windowing methodology.

4.1. Attack Model and Scenario Description

  • The authors also 1Although there are other reasons to consider a link as broken, like node failures, congestion or others, in this work, for simplicity, they will use indistinctly the terms mobility or broken link to encompass all these situations.
  • Of course, this aspect does not affect to the fundamentals of their proposal.
  • The authors additionally consider the existence of M malicious nodes, with the same behavior as the legitimate ones, except that they will also drop received packets instead of forwarding them.
  • A further extension of their work would imply the combination and evaluation of their technique with others which specifically deal with collusion attacks.
  • Their scheme might be complemented by performing some end-to-end checking, like the one proposed in [31].

4.2. Overview of the Detection Approach

  • This way, a set of network related features is first obtained for each node in a given temporal window of analysis.
  • From these features, the probability values given in Section 3 are afterwards estimated.
  • If PDROP is greater than this threshold and according to an anomaly-based approach, the authors conclude that the analyzed node is malicious, and legitimate otherwise: node = { malicious, if PDROP ≥ θ legitimate, otherwise (5) Obviously, the operating point of the detector depends on the value used for the detection threshold.
  • If θ is set to a low value, more malicious nodes in the network will be detected, but also more legitimate nodes will be misclassified as malicious (i.e., false positive rate increases).
  • On the contrary, the use of high values for θ will result in fewer malicious nodes being detected, but it will also produce low false positives.

4.3. Parameters Estimation

  • Here the authors discuss how to calculate the probabilities involved in their analytical model taking into account different features obtained from the network.
  • P̂MOB is set to 1 when the number of RTS retransmissions exceeds the SRL limit in a measuring window, since here the node considers that it does not have a connection with the next hop.
  • AODV (Ad hoc On-demand Distance Vector) routing protocol [35] is considered as a case study in this work.
  • In the case that the broken link is closer to the source node than to the destination one, the intermediate node throws the route away and sends back a Route ERRor message (RERR) to alert its precursors about the link fail.
  • For that, it sends a RREQ message in a similar way that the source node would do.

4.4. Enhanced Windowing for Collecting Features

  • This methodology presents two main drawbacks: i. The first one is related to situations where the temporal window ends just after the transmission of an RTS packet.
  • That is, the features are obtained for non-overlapping windows of P received data packets for each node in the network.
  • Fig. 3 evidences that, by employing the event-based windowing, the authors ensure that mobility situations can be fully collected.
  • Besides the solution of these reported problems, an additional significant advantage should be mentioned for the proposed event-based windowing scheme.

4.5. Complexity

  • Here the authors briefly discuss the complexity of the proposed scheme, taking into consideration both storage and computational requirements for each IDS instance.
  • Regarding memory needs, each IDS procedure running in a given node just requires to handle 5 features (4 of them integers and 1 boolean) for each node monitored.
  • In terms of computational overhead, for each node to be monitored their scheme executes a maximum of 13 basic operations (arithmetic, comparisons and assignments) per analysis window.
  • Expressed in Big O notation, the complexity of the proposed detector is O(1) per analysis window and monitored node, which is lower than that of most data mining techniques, usually of order O(n), O(n2), or even greater.
  • The detection performed by the SVM classifier used in [27] requires between 2,700 and 9,000 computations per analysis window and monitored node.

4.6. Summary of the Detection Approach

  • It must be noted that the detection proposal is based on an analytical model which employs simple features to carry out the detection process.
  • The use of this methodology incurs lower computational overhead in comparison with more sophisticated techniques based on data mining or machine learning algorithms, which require higher AC CE PT ED M AN US CR IP T computational complexity.
  • The operating point of their system must still be empirically obtained for specific scenarios or network conditions.

5. Implementing the Packet Dropping Detection Scheme

  • Beyond the theoretical development of their cross-layer malicious packet dropping detection method, in the following the authors discuss how to deploy their proposal.
  • The IDS has access not only to the statistics of sent packets by a given node, but also to those corresponding to the received packets.
  • The features for estimating the potential malicious behavior of a given node are indirectly collected by other nodes, which cooperate in order to provide a collaborative data collection process.
  • In the experimentation presented in Section 6 the authors show the effect of this estimation and demonstrate that it does not degrade significantly the performance of the detection system.
  • This way, the set of trustworthy monitor nodes can be substituted by the own neighbor nodes of a given one in the network.

6. Performance Evaluation

  • This section describes the experimental framework used to validate the packet dropping IDS approach proposed here, and the results obtained from that evaluation.
  • The authors have carried out extensive experiments to verify the proper performance of their proposal.

6.1. Experimental Environment

  • Network Simulator 2 (NS-2) [38] has been adopted as evaluation platform [39] to simulate several deployments for a MANET environment.
  • Other parameters chosen for simulation are those shown in Table 1 and Table 2.
  • The pause time is 15 s, that is, after reaching the desired destination the node waits for 15 s before choosing a new random destination and repeating the procedure.
  • Malicious nodes in the environment are configured to drop 20% of the data packets received to be forwarded towards a final destination.

6.2. Detection Results

  • The detection performance of the introduced IDS is evaluated by means of two well known parameters, namely the True Positives Rate (TPR), or detection accuracy/rate, and the False Positives Rate (FPR).
  • Repeating 75 times (with different seed values) each of the simulations2.
  • As expected, the results obtained for the distributed-collection IDS approach are a little bit worse than the ones got in the stand-alone case.
  • On the contrary, lower detection thresholds result in better TPR values, but in increasing FPR figures.

6.2.1. Influence of Window Size

  • The size of the selected event-based window for collecting the features has also been chosen through experimental results.
  • Operating Point for Different Window Sizes, also known as Table 3.
  • As expected, the bigger the window the better detection capabilities in terms of FPR, although the size of the window cannot grow indefinitely, since this fact leads to increasing delays in the detection process.

6.2.2. Influence of Mobility

  • The authors now study the detection efficiency for different mobility conditions.
  • Six scenarios are thus simulated, with speed values from 5 m/s to 30 m/s to consider a wide range of possibilities.
  • Fig. 6 shows graphically both TPR and FPR for such different scenarios.
  • As shown, both the stand-alone and the distributed implementations achieve excellent results regarding the two metrics considered.
  • AC CE PT ED M AN US CR IP T meanwhile FPR always remains below 4%.

6.2.3. Influence of Channel Error Probability

  • The detection efficiency under different channel error probabilities has also been studied.
  • The authors have also considered higher error probabilities to test the performance of their scheme when different channel characteristics, like shadowing or multipath fading, cause large packet losses.
  • Fig. 7 depicts graphically both TPR and FPR in these situations.
  • As shown, TPR degrades for the stand-alone implementation as channel error probability increases.
  • This is mainly due to the fact that, for every received packet, it is more likely that the node has to retransmit it several times.

6.2.4. Influence of Number of Malicious Nodes

  • Another set of experiments are aimed at analyzing the performance of both detection approaches for an increasing number of malicious nodes.
  • The results obtained are presented in Fig. 8.
  • That is, the proposal provides again very good detection results.

6.2.5. Discussion and Comparison of Detection Results

  • From the above figures, it is clear that their IDS related proposal can efficiently detect the malicious nodes in the environment with an overall accuracy upper to 93%.
  • The authors have also carried out a more realistic comparison among their results and those exhibited by other similar schemes and comparable scenarios) in [22, 23, 27].
  • In order to show the suitability of this comparison among detection results, Table 4 presents for each scheme some parameters defining the scenarios considered.
  • This scheme integrates three different subsystems (a Bayes-based classifier, Markov chains and an association rule algorithm), which results in a more complex approach.

Did you find this useful? Give us your feedback

Figures (2)
Citations
More filters
Journal ArticleDOI
BD-VTE: A Novel Baseline Data Based Verifiable Trust Evaluation Scheme for Smart Network Systems

[...]

Shaobo Huang1, Anfeng Liu1, Shaobo Zhang2, Tian Wang3, Neal N. Xiong4 
Central South University1, Hunan University of Science and Technology2, Huaqiao University3, Northeastern State University4
01 Jul 2021-IEEE Transactions on Network Science and Engineering
TL;DR: An active trust verification mechanism is innovatively proposed in the VTE mechanism, which evaluates the trust of MVs by sending UAVs to perceive IoT devices data as baseline data, which is a fundamental change to the previous passive and unverifiable trust mechanism.
Abstract: Billions of sensors and devices are connecting to the Internet of Thing (IoT) and generating massive data which are benefit for smart network systems. However, low-cost, secure, and efficient data collection from billions of IoT devices in smart city is a huge challenge. Recruiting mobile vehicles (MVs) has been proved to be an effective data collection scheme. However, the previous approaches rarely considered the security. In this paper, a novel Baseline Data based Verifiable Trust Evaluation (BD-VTE) scheme is proposed to guarantee security at a low cost. BD-VTE scheme includes Verifiable Trust Evaluation (VTE) mechanism, Effectiveness-based Incentive (EI) mechanism, and Secondary Path Planning (SPP) strategy, which are respectively used for reliable trust evaluation, reasonable reward, and efficient path adjustment. Among them, an active trust verification mechanism is innovatively proposed in the VTE mechanism, which evaluates the trust of MVs by sending UAVs to perceive IoT devices data as baseline data. This is a fundamental change to the previous passive and unverifiable trust mechanism. The simulation results show that BD-VTE scheme reduces the cost by at least 25.12% ∼ 38.03%, improves the collection rate by 0.91% ∼ 9.65% and increases the accuracy by 10.28% on average compared with the previous strategies.

119 citations

Journal ArticleDOI
Intelligent agents defending for an IoT world: A review

[...]

Rory Coulter1, Lei Pan2
Swinburne University of Technology1, Geelong Football Club2
01 Mar 2018-Computers & Security
TL;DR: 2020 is anticipated as the turning point where deployments become common, not merely just a topic of conversation but where the need for collective, intelligent detection agents work across all layers of the IoT becomes a reality.

38 citations

Journal ArticleDOI
Localized Secure Routing Architecture Against Cooperative Black Hole Attack in Mobile Ad Hoc Networks

[...]

T. Poongodi, M. Karthikeyan1
Tamilnadu College of Engineering1
01 Sep 2016-Wireless Personal Communications
TL;DR: A novel technique using Localized Secure Architecture for MANET (LSAM) routing protocol is proposed to detect and prevent co-operative black hole attack and it is shown that the proposed protocol is more secured and efficient.
Abstract: Black hole attack refers an attack by single or more number of malicious nodes which forcibly captures the route from source to destination by sending reply with largest sequence number and smallest hop count. In this paper, a novel technique using Localized Secure Architecture for MANET (LSAM) routing protocol is proposed to detect and prevent co-operative black hole attack. Security Monitoring Nodes (SMNs) would be activated only if the threshold value is exceeded. If malicious nodes are detected, other SMNs in its proximity area are intimated to isolate the malicious nodes. Network simulator tool is implemented to analyze the network performance of different scenarios with various number of nodes. Packet delivery ratio (PDR), routing overhead, control overhead, packet drop rate, throughput and end-to-end delay (EED) are the factors taken into consideration for performance analysis and it is shown that the proposed protocol is more secured and efficient. PDR is been increased by 27 % in the presence of 40 % misbehaving nodes, while it increases the percentage of overhead on proposed routing protocol from 1 to 4 %. EED is greatly reduced from 0.9 to 0.3 % in LSAM.

38 citations

Journal ArticleDOI
An active and verifiable trust evaluation approach for edge computing

[...]

Wen Mo1, Tian Wang2, Shaobo Zhang3, Jinhuan Zhang1
Central South University1, Huaqiao University2, Hunan University of Science and Technology3
01 Dec 2020-Journal of Cloud Computing
TL;DR: An Active and Verifiable Trust Evaluation (AVTE) approach is proposed to identify the credibility of IoT devices, so to ensure reliable data collection for Edge Computing with low cost and theoretical analysis shows that AVTE approach can improve the data collection rate by 0.5 ~ 23.16% while ensuring long network lifetime compared with the existing scheme.
Abstract: Billions of Internet of Thing (IoT) devices are deployed in edge network. They are used to monitor specific event, process and to collect huge data to control center with smart decision based on the collected data. However, some malicious IoT devices may interrupt and interfere with normal nodes in data collection, causing damage to edge network. Due to the open character of the edge network, how to identify the credibility of these nodes, thereby identifying malicious IoT devices, and ensure reliable data collection in the edge network is a great challenge. In this paper, an Active and Verifiable Trust Evaluation (AVTE) approach is proposed to identify the credibility of IoT devices, so to ensure reliable data collection for Edge Computing with low cost. The main innovations of the AVTE approach compared with the existing work are as follows: (1) In AVTE approach, the trust of the device is obtained by an actively initiated trusted detection routing method. It is fast, accurate and targeted. (2) The acquisition of trust in the AVTE approach is based on a verifiable method and it ensures that the trust degree has higher reliability. (3) The trust acquisition method proposed in this paper is low-cost. An encoding returned verification method is applied to obtain verification messages at a very low cost. This paper proposes an encoding returned verification method, which can obtain verification messages at a very low cost. In addition, the strategy of this paper adopts initiation and verification of adaptive active trust detection according to the different energy consumption of IoT devices, so as to reliably obtain the trust of device under the premise of ensuring network lifetime. Theoretical analysis shows that AVTE approach can improve the data collection rate by 0.5 ~ 23.16% while ensuring long network lifetime compared with the existing scheme.

30 citations

Cites background from "A model of data forwarding in MANET..."

  • ...Because most applications are based on the data sensed and acquired by IoT devices [13, 14], many emerging applications sensitive to latency and bandwidth, such as virtual reality, augmented reality and infrastructure for smart cities, benefit from edge computing....

    [...]

Journal ArticleDOI
A stochastic approach for packet dropping attacks detection in mobile Ad hoc networks

[...]

M. Rmayti1, Rida Khatoun2, Youcef Begriche2, Lyes Khoukhi1, Dominique Gaïti1 
Centre national de la recherche scientifique1, Télécom ParisTech2
05 Jul 2017-Computer Networks
TL;DR: A fully decentralized mechanism that allows a node to monitor and detect neighbors that are malicious even if they have a changing behavior, based on a Bernoulli Bayesian model for nodes behavior classification and a Markov chain model for behavior evolution tracking is proposed.

27 citations

References
More filters
Proceedings ArticleDOI
Detecting Malicious Packet Dropping in the Presence of Collisions and Channel Errors in Wireless Ad Hoc Networks

[...]

Thaier Hayajneh1, Prashant Krishnamurthy1, David Tipper1, Tae-Hoon Kim1
University of Pittsburgh1
14 Jun 2009
TL;DR: A simple analytical model for packet loss is presented that helps a monitoring node to detect malicious packet dropping attacks and shows that it is possible to detection malicious packet drops in the presence of collisions and channel errors.
Abstract: Detecting malicious packet dropping is important in ad hoc networks to combat a variety of security attacks such as blackhole, greyhole, and wormhole attacks. We consider the detection of malicious packet drops in the presence of collisions and channel errors and describe a method to distinguish between these types. We present a simple analytical model for packet loss that helps a monitoring node to detect malicious packet dropping attacks. The model is analyzed and evaluated using simulations. The results show that it is possible to detect malicious packet drops in the presence of collisions and channel errors.

50 citations

"A model of data forwarding in MANET..." refers background or methods or result in this paper

  • ...For this reason, in our previous work [30] we proposed a heuristic to complete the model in [29], in order to properly deal with scenarios with mobility....

    [...]

  • ...One of the few works dealing with collisions and packet errors is [29]....

    [...]

  • ...First, we have compared our scheme with that introduced in [29]....

    [...]

  • ...As a result of such multi-layer approach, we obtained much better detection efficiency than that obtained in [29]....

    [...]

  • ...Besides including mobility as a legitimate cause for packet discards, our new model differs from the one in [29] in how the dropping probability is computed and the features are collected....

    [...]

Proceedings ArticleDOI
Markov modeling of 802.11 channels

[...]

Julio Arauz1, P. Krishnamurthy1
University of Pittsburgh1
01 Jan 2003
TL;DR: This work uses experimental traces that represent the frame error process in 802.11a and802.11b networks under different conditions to test the accuracy of the traditional Markov models of wireless channels and suggests an approach for the parameterization of a two-state Markov model.
Abstract: Wireless fading channels are commonly characterized by Markov models. Almost all models assume the underlying channel has flat fading characteristics and that fairly simply modulation schemes are used. These assumptions are not necessarily valid for wireless channels like the ones used by IEEE 802.11 technologies. Although Markov models of wireless channels have been widely used to study the performance of communications protocols at the link and transport layers, no validation of their accuracy has been performed against experimental data. We use experimental traces that represent the frame error process in 802.11a and 802.11b networks under different conditions to test the accuracy of the traditional models. We finish by suggesting an approach, based on experimental results, for the parameterization of a two-state Markov model.

50 citations

Journal ArticleDOI
On eliminating packet droppers in MANET: A modular solution

[...]

Djamel Djenouri, Nadjib Badache
01 Aug 2009
TL;DR: This paper proposes a new solution to monitor, detect, and safely isolate misbehaving nodes in mobile ad hoc networks (MANETs) that drop packets supposed to be relayed, whose purpose may be either saving their resources or launching a DoS attack.
Abstract: In this paper we deal with misbehaving nodes in mobile ad hoc networks (MANETs) that drop packets supposed to be relayed, whose purpose may be either saving their resources or launching a DoS attack. We propose a new solution to monitor, detect, and safely isolate such misbehaving nodes, structured around five modules: (i) The monitor, responsible for controlling the forwarding of packets, (ii) the detector, which is in charge of detecting the misbehaving of monitored nodes, (iii) the isolator, basically responsible for isolating misbehaving nodes detected by the detector, (iv) the investigator, which investigates accusations before testifying when the node has not enough experience with the accused, and (v) finally the witness module that responds to witness requests of the isolator. These modules are based on new approaches, aiming at improving the efficiency in detecting and isolating misbehaving nodes with a minimum overhead. We describe these modules in details, and their interactions as well. We also mathematically analyze our solution and assess its performance by simulation, and compare it with the watchdog, which is a monitoring technique employed by almost all the current solutions.

44 citations

Proceedings ArticleDOI
An Acknowledgment-Based Scheme to Defend Against Cooperative Black Hole Attacks in Optimized Link State Routing Protocol

[...]

Soufiene Djahel, Farid Nait-Abdesselam, Ashfaq Khokhar1
University of Illinois at Chicago1
19 May 2008
TL;DR: This paper proposes an acknowledgment based technique that overcomes the shortcomings of the OLSR protocol, and makes it less vulnerable to such attacks by identifying and then isolating malicious nodes in the network.
Abstract: In this paper, we address the problem of cooperative black hole attack, one of the major security issues in mobile ad hoc networks. The aim of this attack is to force nodes in the network to choose hostile nodes as relays to disseminate the partial topological information, thereby exploiting the functionality of the routing protocol to retain control packets. In optimized link state routing (OLSR) protocol, if a cooperative black hole attack is launched during the propagation of topology control (TC) packets, the topology information will not be disseminated to the whole network which may lead to routing disruption. In this paper, we investigate the effects of the cooperative black hole attack against OLSR, in which two colluding MPR nodes cooperate in order to disrupt the topology discovery. Then we propose an acknowledgment based technique that overcomes the shortcomings of the OLSR protocol, and makes it less vulnerable to such attacks by identifying and then isolating malicious nodes in the network. The simulation results of the proposed scheme show high detection rate under various scenarios.

41 citations

Multi-Layer Integrated AnomalyIntrusion Detection System forMobileAdhocNetworks

[...]

S. Bose, S. Bharathimurugan
01 Jan 2007
TL;DR: In this article, a new anomaly detection system for MAC layer, routing layer, and application layer is presented, which contains detection subsystem for MAC level, network level and application level.
Abstract: Mostintrusion detection systems formobile ad hocnetworks arefocusing oneither routing protocols or MAC layer traffic. Thispaperfocuses onthedesign ofa new anomalydetection systemforeachnodeofthe network, whichcontains detection subsystem forMAC layer, routing layerandapplication layer. Auditdata takenfromMAC level/Network level/Application level fromthetraces inGlomosimandarepreprocessed separately foreachlayer's detection subsystem. Feature datasetsforeachlayerareselected fromnormal transactions. TheDetection subsystem contains normal profiles obtained fromthefeature vectors oftraining data sets.In ourwork,we usedBayesian classification algorithm, Markovchainconstruction algorithm and association ruleminingalgorithm foranomalydetection inMAC layer, routing layerand application layer respectively foreffective intrusion detection. Testdata obtained fromthenetworktraffic isfeedintothe detection subsystems. Ifthereisanydeviation from normalbehavior, itisconsidered asabnormal oranomaly basedonpredefined thresholds. Intrusion results from detection subsystems ofallthethree layers areintegrated atlocal integration moduleandthefinal result issentto theglobalintegration module.Intrusion results are received alsofromtheneighbor nodesandaresenttothe global integration moduleformakingafinal decision.

33 citations

Related Papers (5)
Prevention of selective black hole attacks on mobile ad hoc networks through intrusion detection systems

[...]

01 Jan 2011-Computer Communications
Ming-Yang Su
An intrusion detection & adaptive response mechanism for MANETs

[...]

01 Feb 2014
Adnan Nadeem, Adnan Nadeem, Michael Howarth
Preventing malicious packet dropping nodes in MANET using IFHM based SAODV routing protocol

[...]

01 Nov 2019-Cluster Computing
K. Vanitha, A. M. J. Zubair Rahaman
Reputation based malicious node detection in OppNets

[...]

01 Jan 2016
Asma'a Ahmad, Majeed Alajeely, Robin Doss
Detecting Malicious Packet Dropping in the Presence of Collisions and Channel Errors in Wireless Ad Hoc Networks

[...]

14 Jun 2009
Thaier Hayajneh, Prashant Krishnamurthy, David Tipper, Tae-Hoon Kim 
Frequently Asked Questions (2)
Q1. What have the authors contributed in "A model of data forwarding in manets for lightweight detection of malicious packet dropping" ?

This work introduces a model of data forwarding in MANETs which is used for recognizing malicious packet dropping behaviors. Second, the authors propose an anomaly-based IDS system based on an enhanced windowing method to carry out the collection and analysis of selected crosslayer features. The authors evaluate their proposal in a simulation framework and the experimental results show a considerable enhancement in detection results when compared with other approaches in the literature. Third, a real deployment of the IDS is also considered by suggesting a methodology for the collection of the selected features in a distributed manner. 

Different schemes can be analyzed for that, e. g., obtaining an average of previous AC CE PT ED M AN US CR IP T threshold values, computing the threshold as a function of the mobility speed, etc. • Finally, the authors are planning to extend their approach to include an attack model where several nodes work in collusion to evade the detection process.