Computation is spanning from PC to Mobile devices. The Mobile Ad hoc Networks (MANETs) are optimal choice to accommodate this growing trend but there is a problem, security is the core issue. MANETs rely on wireless links for communication. Wireless networks are considered more exposed to security attacks as compared to wired networks, especially; MANETs are the soft target due to vulnerable in nature. Lack of infrastructure, open peer to peer connectivity, shared wireless medium, dynamic topology and scalability are the key characteristics of MANETs which make them ideal for security attacks. In this paper, we shall discuss in detail, what does security mean, why MANETs are more susceptible to security attacks than wired networks, taxonomy of network attacks and layer wise analysis of network attacks. Finally, we shall propose solutions to meet the security challenges, according to our framed security criteria.
Nowadays, computing is the need of everyone, everywhere. Everyone is looking for on the spot handy computational solutions. In this need based scenario, advancement in Hardware Engineering made it possible, the invention of a number of mobile computing devices. PDA’s, Pocket PC’s and smart phones can be seen everywhere. In the last decade, the massive growth in mobile computing devices brought a revolutionary change in computing, the evolution of ubiquitous computing. At present, the concept of ubiquitous computing is a research hot spot in Computer Science society [
MANETs are the best choice for practical implementation of the ubiquitous computing and wireless medium is a natural ally of MANETs for ubiquitous computing because wired link does not support heterogeneous devices, on demand connectivity and device mobility. There are numbers of practical applications of MANETs [
・ Personal area networks
・ People sitting in airport lounge
・ Kids playing in ground
・ Rescue and emergency services
・ Military movement on vehicles
・ Healthcare services
・ Stock market brokers
The word “MANET” is a self descriptive. It is a temporary wireless network of arbitrary self organized mobile nodes that is why it is viewed as Mobile Ad hoc Network [
MANET is an art of networking without formal networking which is quite easy to develop. In the infrastructure less network environment, there is no concept of node dominancy or centralized control. The nodes within the radio range of each other directly communicate with each other while the node(s) which are not in direct communication range, form a multi-hop communication environment, where intermediate nodes are used for multi-hop communication.
Multi-hop routing is the core of multi-hop communication. An efficient and power aware routing protocol with reduced traffic over head is required for this multi-hop routing [
Formation of the MANET is quite easy and interesting. Heterogeneous devices with varying capability and processing power are allowed to join the network, even at runtime. There is no specific topology and limit of nodes in a network. Nodes are free to join, leave and move with any mobility pattern, on the fly. Following are the typical key features of the MANETs [
・ Absence of Infrastructure
・ Peer to peer connectivity/communication
・ Dynamic topology
・ Shared wireless medium
・ Scalability
The above mentioned features make the MANETs highly susceptible to security attacks. In the section two of this paper we discuss in detail, what does security mean? In section three vulnerabilities of MANETs, in section four taxonomy of network attacks and in section five layer wise analyses of network attacks are discussed. We proposed some solutions to meet the security challenges in section six. At the end of the paper conclusion of our study and future research is given.
It is highly debatable that:
・ What does security mean?
・ Is there exists any safety measurement criteria?
・ How to assess security state of mobile ad hoc network?
We must have to formulate some security criteria to answer the above said questions. Following are the guide lines to evaluate the security state of the MANETs.
Availability ensures the guaranteed access of all the services of the network, to all the privileged nodes, under any circumstances [
Integrity means a message will never altered or tampered after the transmission. At runtime a message could be truncated, replayed or even altered due to any malicious attack or even due to accidental hardware failure [
Confidentiality means the privacy of information. There should exist a mechanism to protect information from being exposed to unauthorized entities. Only privileged nodes should be given access to private information.
In a network environment certain entities are assigned with specific credentials. These credentials define their privileges to access certain network services. Authorization enables the receivers to verify that message is from trusted entity. It is usually implemented via certificate or digital signature.
Authenticity means that both sender and receiver are genuine in nature, not the impersonate one [
Non repudiation means that the sender can’t deny whatever it has transmitted and likewise receiver whatever it has received. They must own their mutual communication. It is necessary and helpful, especially, in tracking of compromised nodes in a network. If a node identifies erroneous messages it would alert other nodes with an evidence to be aware of expected abnormal behavior of that particular transmitter node.
The term anonymity is closely related to privacy. Anonymity demands that information about the ownership of current node should be kept private by the node itself as well as by the system software. It is the only way to protect a privacy of a node from being exposed to the other nodes.
Wireless medium is considered more exposed to security attacks than wired links due to its vulnerabilities. Since Wireless medium is a backbone of the MANETs, therefore MANETs inherit all the features of wireless links. These inherited vulnerabilities of wireless medium make the MANETs highly vulnerable in nature and a hive for all season attacks. Let’s discuss these vulnerabilities, one by one, in detail.
Radio waves are transmitted in a broadcast fashion. During broadcast unguided signals spread all around and cover some specific elastic circular range. In that particular range, strength of the signal is primarily dependent upon the distance from the transmitter that is why there is no sharp boundary in wireless links [
Varying strength of signals is another problem with wireless medium. Signal strength is mainly dependent on the transmitter, radio antenna and even on battery power at some extent. Signal strength is inversely proportional to the distance from the transmitter. Signals get weaken as the distance from the transmitter is increased. So on intermediate walls and building may also weaken the signals, considerably. Weak signals may leads to the unavailability of certain intermediate network nodes and ultimately the unavailability of certain network services. Varying strength of signals may cause QoS issues in network and even may generate the illusion of denial of service attacks.
Since MANETs use wireless as a communication medium so it is highly susceptible to be attacked by external signal interference. External signal interference is, often seriously destructive and may tamper your vital information. It is also considered that external signal interference may leads to active interfering, data tampering and information leakage attacks.
In MANETs nodes flood packets in broadcast fashion. Only nodes within the specific radius of transmitter can detect the signals. This distance-dependent carrier sensing can generate a hidden/exposed node problem. The situation when a node receives the same packet from two different sources but the source nodes are hidden from each other is called a hidden node problem which leads to the signals collision [
MANETs are infrastructure less networks hence the lack of central management is a major threat to MANET’s security. There exists no network server in MANETs hence there is no centralized entity to impose network policies, trust management and authorization. In the absence of network infrastructure there is no incorporation of any security feature in MANETs. Due to the non incorporation of security features and heavy traffic flow, it is quite difficult to detect any malicious activity in highly dynamic networks like MANETs [
Wireless links make the MANETs a hot cake for security attacks. The attacker takes the advantage of vulnerable nature of MANETs and launches a compromised node inside the network. A compromised node is an adverse node inside networks that has been captured by any unfair means and executes the further malicious activities in the network. Then it is easier for the attacker to employ a compromised node inside the network to get access and control the ongoing communication [
Instead of designing specialized routing protocols Many of MANET routing protocols are borrowed from wireless routing protocols, which were designed and configured for static wireless environment. Mobility is the key feature of MANETs hence statically configured routing protocols are not capable to handle the security threats, caused of mobility. There are required special secure versions of the protocols to protect MANETs from security attacks. Different secure versions of protocols are recommended such as sDSR, sAODV, sOLSR and sDSDV are the secure versions of DSR, AODV, OLSR and DSDV protocols respectively.
Wired links always provide a better bandwidth than wireless links because they transmit data over confined physical lines. In wireless communication, radio channels are shared among many users. Wireless communication is taken place in broadcast manner hence a lot of bandwidth is shared and consumed during the broadcasting of the wireless signals. Periodic hello messages for neighbor sensing might also utilize a lot of bandwidth which ultimately leads to network overhead. Shared bandwidth is the major drawback of wireless medium that limits the data transfer rate, quality of service and successful delivery of packets. The attackers may launch the denial of service attacks by utilizing extensive bandwidth of the wireless medium.
Unlike wired networks MANETs can grow and shrink on the fly whereas the scalability of wired networks is usually predefined at design time. Freedom to join and mobility are two key features of MANETs, therefore, it is hard to predict the scale of networks like MANET. Scalability may leads to serious routing and QoS concerns. The network services like key management and routing protocols must be compatible with varying scale of the MANETs i.e. OLSR is more scalable than DSR due to the use of MPR [
Most of the devices of MANETs are mobile in nature so they strongly rely on battery power for radio transmission whereas wired networks are not battery constrained in nature because they get their power from electric power outlets.
Restricted battery power is major threat in MANETs. The adversary node may flood continuous routing requests to target any battery constrained node or it may grasp a target node to perform a kind of battery consuming activity. Such kind of tasks will exhaust the whole battery power and all the nodes beyond the target node might go out of service.
So on some nodes encountering limited power supply may behave like selfish nodes. As a result network will suffer from intentional non-cooperative behavior of selfish nodes. No doubt, selfish nodes are considered as a kind of security threat.
Network security attacks can be categorized in a number of ways on the basis of locality of attacker, nature of attack interaction and target layer of the OSI network model. Let’s discuss major classifications.
In broader sense network attacks against MANETs can be classified into Internal and external attacks [
Based upon the nature of attack-interaction, the attacks against MANETs can be categorized into active and passive attacks. The word passive is self descriptive. These attacks act just like slow poising and do not perform any serious alter to packets and routine operations of the network. These attacks are difficult to detect due to mild in action. Passive attacks usually deduce some info from routed traffic instead of disturbing the routing [
Routing is the core of communication in MANETs. Routing is the only mechanism which establishes the successful communication path between sender and receiver. The basic responsibility of a routing protocol is to establish an efficient path between sender and the receiver nodes. Since routing is the core of communication, therefore, its vital role invites the network attackers all the times to launch routing attacks against MANETs [
It is a special type of routing attack in which adversary node makes some potential changes in the routing message, as a result routing message may lose its integrity. Packet misrouting is the good example of such attacks in which a message is deviated from its original route [
Someone may intercept the normal flow of routing messages by gaining an unauthorized access. In such situation there is a potential hazard of packet alteration before their further forwarding. Wormhole attacks, black hole attacks and routing packet analysis attacks are the major examples of interception attacks.
There is another technique to chaos the network operation that is fabrication. In fabrication attacks the attacker fabricates its own packets in network to cause the disorder in routine operations of the network. Lack of authentication in routing protocols of MANET leads to fabrication attacks which generate erroneous routing messages [
These attacks interrupt routine network traffic by blocking the routing messages before reaching to destination. In interruption attacks different techniques are used to disturb the normal flow of network traffic such as Packet dropping, flooding etc.
The ISO (International Organization for Standardization) proposed a conceptual model of networking, the OSI model. According to the OSI model, internal functions of communication system are divided into abstraction of seven layers [
Since physical layer deals with physical medium and network devices so in this section we shall discuss network attacks that are originated from physical medium and the hardware. In the absence of secure boundaries [
OSI Layer | Attacks |
---|---|
Physical Layer | Eaves dropping, Jamming, Active Interference |
Data Link Layer | Selfish node behaviour, Malicious node behaviour, DoS (Denial of service), Integrity, Misrouting Traffic |
Network Layer | Black Hole, Wormhole, Sinkhole, Replay, Link spoofing, Resource consumption, Sybil |
Transport Layer | SYN Flooding, Session Hijacking |
Application Layer | Malicious behavior, Data corruption, Virus |
In eaves dropping is a special technique where attacker makes it sure, the passive listening of messages by an unintended receiver [
There is a simple technique; wireless medium can easily be intercepted, just by proper tuning up the receiving node to specific frequency. The eaves dropping is usually aimed to steal secret information by unauthorized entity such as capturing private keys, public keys and password etc. it is usually done by tapping the wireless link. Captured information could be used for subsequent attacks.
Network Jamming attacks are specific to wireless medium only as oppose to wire networks, where, there is no concept of signal jamming. Jamming is a special technique to degrade the performance of wireless medium by lowering the signal availability [
Active interference is the major problem with wireless signals. Interference of Internal or external Electromagnetic signal can strongly disturb the wireless signals and ultimately leads to the denial of service. Active interference may change the order of messages and even may replay old messages. Active interference is the special clause of jamming attacks. During jamming, the transmitted messages are corrupted by challenger node due to electromagnetic interference with the operational frequencies of the targeted receivers [
The Mac layer attacks are classified in terms of their penetration level and their effect on issues like route discovery failure, energy consumption and link breakage etc [
A selfish node is special type of compromise node which does not suppose to attack the other nodes of a network. It does not cooperate with other nodes and simply refuse its services to other network nodes to save its battery life, CPU cycles and available bandwidth. Networks often encounters a situation when a node is connected to the network but it refuses to forward packets, intentionally, to save its resources like battery power and bandwidth. Such behavior is known as free riding [
Selfish nodes can be classified into three categories according to their level of selfishness.
SN1―A node takes part in network route discovery and maintenance tasks but do not forward packets to other nodes.
SN2―A nodes does not take part in any routing and maintenance operation but just transmit its own packets.
SN3―The nodes which behave normal when the energy level is up to some threshold but if battery level lowers below the threshold value then it behave like SN2.
The level and technique of selfish behavior of a node is dependent upon a protocol in use. Such as a node using DSR protocols may exercise a number of misbehaviors to save its energy and resources like: [
・ Don’t respond to route request (RREQ)
・ Don’t respond to route replies (RREP)
・ Set hop limit/TTL to some minimum value
・ Don’t send acknowledgements
・ Don’t forward packets
・ Drop data packets
Another common misbehavior of nodes is identified as malicious nodes. Malicious nodes are considered more risky than selfish nodes because these are capable to launch malicious attacks to the other network nodes where as selfish nodes just refuses to take part in network operations. Malicious nodes may exhibit a number of misbehaves in addition to misbehaves exhibited by selfish nodes. Detail is as given below:
1) Denial of service (DoS) Attacks
Denial of service DoS attacks are aimed to grab the availability of the entire node or some of its services, offered to the network. In other words denial of serve means the unavailability of services to the intended receiver. Denial of service attacks are usually originated from a malicious compromised node in the network. DoS attacks usually prevent the victim to get benefit from the network services. Denial of service can be launched in a number of ways. Taking the advantage of vulnerabilities of Link Layer a attacker may utilize the binary exponential back-off scheme of IEEE 802.11 to refuse access to its local neighbors in a wireless link [
2) Attacks on network Integrity
Integrity means a message will never altered or tampered after transmission. At runtime a message can be truncated, tampered or altered due to any malicious attack. So the integrity attacks must be handled.
3) Attacking Neighbor sensing protocols
Links between neighboring nodes may be marked as broken links due to advertisement of fake error messages by a malicious node. As results of fake error messages a link between two neighboring nodes remain no more active and even neighboring nodes remain failed to sense availability of each other.
4) Traffic Analysis
In MANET the adversary node may take the advantage of traffic patterns by analyzing the traffic flow between different nodes. Confidential information about the topology and traffic flow can be extracted from traffic patterns. Traffic patterns guide the attacker about to track the active and high valued candidate target in a network. Following information can be extracted by analyzing traffic patterns:
・ Location of active nodes
・ Topological information
・ Available source & destination nodes
In MANET nodes are connected in hop-by-hop manner [
Routing is core of communication in a network. Different routing protocols such as DRS [
In black hole routing attacks a malicious node uses a trick and advertises itself as an optimal choice for routing from source to destination. On receiving a route request from the source node the adversary node rapidly replies with a fake shortest path [
Consider the AODV protocol for case scenario (
In [
In wormhole attacks, there participates more than one malicious node as compare to rushing attacks, where, there was a single malicious node. In wormhole attacks when a malicious node receives packets, it sends them to another malicious node through a tunnel, that controlled tunnel between two malicious nodes is actually called a wormhole [
Sinkhole attack is another dangerous attack in MANET’s. In sinkhole attacks a malicious node broadcasts the wrong routing information to advertize itself as a specific node. In this way the adversary node get attention the whole network traffic and alter the incoming packet before their re-forwarding or even drop the packets. Malicious node tries to capture the secure information of other nodes as shown in
Sinkhole attacks effect the performance or routing protocols such as AODV either by maximizing the Sequence_No or minimizing the hop count [
MANET is the network of self organizing and arbitrary moving network nodes. At run time nodes dynamically change their location. Replay attacks take the advantage of this vulnerability of MANET. In replay attacks [
malicious node records control packets (TC messages in case of OLSR) of other nodes, move its location and resend them on some later time. In this way other nodes are being cheated by adversary node and they record the stale routes in their routing table that even does not exist, at all. Usually packets are delayed or fraudulently repeated by the malicious node.
In link spoofing attacks the malicious node withholds the link and does not broadcast routing information to the specific nodes or it advertize the fake link information to the non neighboring nodes to disturb the routing operations [
In resource consumption attacks, the compromised node targets a node to exhaust its resources like battery power and bandwidth by engaging the victim node in some fuzzy network operation. Usually excessive route requests are sent to the victim to consume its resource like battery power and band width [
The Sybil attacks are launched in a network by generating a number of fake identities of the network node. A single malicious node exhibit itself as a many independent nodes. Actually these additional fake identities acquired by the malicious node are called Sybil nodes [
See the
“Z” is the brand new Sybil identity while the identities “X” and “Y” are stolen from legitimate nodes to get diversion of their traffic to pass through the node “M”. Now the node “M” is capable either to pass or block the traffic towards the node “D”.
The Byzantine attacks may involve single or group of compromised nodes in a network. Usually byzantine attacks target the MANETs either by creating routing loops or sending packets via non-optimal path to degrade overall routing services of the network [
Transport layer accepts messages of variable length from session layer and pack them into packets and submit them to the network layer for transmission. On reaching destination these packets are again reassembled at transport layer. So sequencing and reassembling are two key operations at transport layer. Transport layer assigns a sequence number to each packet during segmentation, prior to transmission. This sequence number is used to reassemble packets in a proper order at destination. TCP and UDP are two major protocols used at transport layer. Transport layer attacks may change the packet sequence number to disturb the reassembling.
In MANET there is a concept of just initial setup of the session. There exists no proper session protection mechanism during the communication. Attacker takes the advantage of this vulnerability and spoofs the IP address of the victim node and gives opportunity to the malicious node to behave as a legitimate node. After spoofing, attacker captures the intended Sequence_No from the packets and becomes in a position to launch denial of service attacks (DoS) on the basis of captured Sequence_No. usually secret information like password, logion name etc. are captured during session hijacking attacks.
TCP-ACK storm is the good example of session hijacking. See the
It is a special kind of denial of service attacks where a attacker sends a successive SYN requests to the target node to consume its resources and make it unavailable to legitimate traffic. Normally there is a three way hand shaking mechanism between sender and receiver nodes that is:
1) Node “X” requests for connection by sending SYN message to node “Y”.
2) Node “Y” acknowledges request by sending SYN-ACK message to node “X”.
3) Node “X” again responds with ACK and connection is established between “X” and “Y”.
But in SYN attacks the node “X” floods the SYN request at all ports of the node “Y” but does not acknowledge the SYN-ACK that was generated by node “Y” to establish the connection. In some cases it replies with the spoofed source IP. So there will form a loop of half opened connection between node “X” and “Y”. The node “Y” will reply again and again and ultimately it will go to the denial of service due to non availability of free ports. This situation occurred due to flooding of SYN attacks.
Application layer is the actual layer where user interacts with the data. Many protocols work at this layer such as HTTP, SMTP, FTP, TELNET etc. These protocols are vulnerable in nature so they can be attacked by the expert attacker at the application layer.
There is a general rule of data processing that is, GIGO (garbage in garbage out).This rule also applies at data communication. If we shall transmit a wrong data definitely target will also receive a wrong data. At application layer great care is needed to protect data against the malicious code, worms and virus attacks before the transmission and even after the reception at target. Viruses, spywares, trogon horses and other malicious codes can damage application, data and even operating system. Data corruption attacks are very common at application layer. These attacks may change the format of data even convert data into some unreadable format. Therefore certain measures should be taken to protect data at application layer and counter fight against application layer attacks.
Repudiation means the denial from active participation in network communication and abstain from the taking the ownership of what has been transmitted or received by the node. In the presence of repudiation attacks it becomes difficult to isolate the origin of malicious activity if no one will accept the responsibility. At the level application layer still there are chances of network attacks. Many of security measures taken at different layers are still not sufficient to protect the packets. Application layer programs such as antivirus and firewalls must be configured properly to avoid such attacks. Firewalls and logical port security is also very important. Attacker may take advantage of open ports. So, mutual cooperation of running application and operating system should guarantee the security and availability of under lying logical communication ports for smooth network communication.
MANET attacks are summarized in
As so for we have done a lot of deal with MANET, its vulnerabilities, different types of MANET attack. After the detailed analysis of wireless network vulnerabilities and network attacks, we are now in a position to propose
Attacks | |||
---|---|---|---|
External and Internal Attacks | |||
Active and passive attacks | |||
Stalling classification of routing attacks | Modification of attacks | ||
Interception attacks | |||
Fabrication attacks | |||
Interruption attacks | |||
Layer Wise Network attacks | Physical Layer attacks | Eaves Dropping | |
Jamming attacks | |||
Active interference Attacks | |||
Data/Mac Layer attacks | Selfish Nodes behavior | ||
Malicious nodes behavior | DoS Attacks | ||
Attacks on network integrity | |||
Attacking neighbor sensing protocols | |||
Traffic Analysis | |||
Network Layer Attacks | Black hole attacks | ||
Rushing Attacks | |||
Warm hole attacks | |||
Sinkhole Attacks | |||
Replay attacks | |||
Link withholding and spoofing attacks | |||
Resource consumption attacks | |||
Sybill Attacks | |||
Byzantine Attacks | |||
Transport Layer Attacks | Session Hijacking | ||
SYN Flooding Attacks | |||
Application Layer | Malicious code Attacks | ||
Repudiation Attacks |
some solutions. It is the time to meet the security challenges to make the MANET more and more secure. In broader sense there are three possible techniques of solutions:
・ Cryptography/Encryption
・ Intrusion detection system
・ Secure routing
Cryptography is the one the earlier solutions that were proposed for the data security during its transmission from sender to receiver. In cryptography data is usually encrypted before transmission at source and a mutual agreed key is shared to decrypt it, reaching at destination. At reaching the destination data is again reformed into understandable format using decryption. Many techniques are used in the field of cryptography such as a public key, authentication and digital signature etc.
Once there was a time when cryptography was considered enough for the intrusion prevention but very soon it was realized that it was not more than just a first aid to security threats. With the passage of time the idea of a proper intrusion detection system was introduced in network security. Intrusion detection is mechanism to monitor the activities of the network at run time. An intrusion detection system (IDS) performs this duty. It collects the data about network activities and evaluates data to trace any security violation in a network. If it finds any security hazard, it alerts the whole network and launches defense line to combat against the threat. Intrusion detection systems are developed on the basis of two basic assumptions that [
・ It is possible to monitor the activities of the user and the program.
・ A clear line of differentiation can be drawn between normal and intrusive network activities.
Historically early intrusion detection systems were developed for wired networks, where traffic must go through several network devices like routers and gateways, hence an IDS can easily be implemented and hard coded into these devices [
・ Host based IDS
・ Network based IDS
A host based intrusion detection system depends upon operating system and application logs for intrusion detection while on other hand network based intrusion detection systems rely on packets captured from network traffic. IDS’s are classified into three categories on the basis of the techniques of intrusion detection [
1) Anomaly detection system: it keeps the record of normal network behavior and periodically compares the captured data with the recorded normal behaviors of the network. If there found any deviation from the baseline recorded data it is treated as intrusion.
2) Misuse detection system: it keeps the definitions (patterns) of the known attacks and compares these patterns with captured data to find any intrusion.
3) Specification based detection: it is the definition based intrusion detection where set of constraints define a normal behavior of network. The system continuously monitors the network operations according to the defined parameters.
Now the issue is that which intrusion system is best for the MANETs? Different architectures of IDS’s are available but the optimal IDS architecture for a MANETs may depend on the network configuration itself [
・ Stand alone IDS
・ Distributed and cooperative IDS
・ Hierarchal IDS
・ Mobile agent
In stand-alone architecture, the IDS run on each node independently. The IDS just monitors the behavior of that particular node only, on which it is installed. There is no exchange of data and cooperation among different nodes of the network even in the same network nodes remain unaware of what is happening with neighboring nodes. Although this architecture is not so much effective due to its limitations but it may be implemented where each node is capable of running IDS. It is not recommended for MANET.
Keeping in mind the vulnerable nature of MANET, the distributed and cooperative model of IDS was first proposed by Zhang and Lee [
Especially Inter node cooperation occurs when a node detects an anomaly but don’t have enough evidence to figure out the kind of intrusion that was occurred. In that scenario, a node shares its data with other nodes within the communication range to check their security logs to trace the possible intruder. Let’s us now discuss the internal structure of the IDS agent. Here is the conceptual model comprising of four major functional modules as in
1) Local data collection module: it is responsible to handle the collection of real time auditing data coming from different sources.
2) Local detection engine: it examines and evaluates the collected data by local data collection module. It inspects the data for any possible anomaly. The IDS should not rely on misuse detection technique to find intrusion because it is based upon the comparison of collected data with the known patterns of the attacks. Successful IDS should relay on statistical Anomaly Detection Technique rather than the use of misuse Detection Technique, which is not capable detect novel attacks.
3) Cooperative detection engine: this module is responsible for inter node sharing of suspicious anomalies. If there found any ambiguous anomaly at any particular node, the cooperative detection engine initiates a cooperated intrusion detection process by advertizing its state information to all nearby neighbors. As a result of this initiation all other nodes also check their current states and reach to consciences about intrusion and its origin.
4) Intrusion response module: this module is responsible for launching anti response against the possible intrusion. The anti intrusion response is dependent upon the nature and level of the intrusion found. Some time it simply reassigns the keys or rearranges the network nodes. The communication with compromised nodes can be blocked or even these nodes may be removed from the network community.
As we discussed in the previous section about distributed and cooperative IDS, where all the nodes equally participate in the process of cooperative intrusion detection even then it was not necessary, the participation of each node. It may leads to a lot of power consumption in network. As a result of such consumption of energy a node may behave as selfish node to save its energy and regret to participate in cooperation network operations. To solve this problem Huang et al. presented the idea of cluster-based intrusion detection system [
There are four states in cluster formation protocol i.e. initial, clique, done and lost. At first all the network nodes will be in initial state, which means they will monitor their behavior for intrusion detection locally. There is a pre requisite prior to the selection of cluster head that is the clique computation. A clique is defined as the group of nodes where each pair has a direct link with each other. After the clique computation every member in a clique is aware of its clique fellows. Then a node with higher efficiency will be selected as cluster head, at random. There are further two protocols that assist cluster for doing validation and recovery tasks.
1) Cluster valid assertion protocol: A node periodically uses this protocol to maintain its link with cluster-head. If the link is broken with cluster-head, the node looks for another cluster-head for link establishment. In case of failure it goes into a LOST state and generates a route recovery request. There should re-election timeout for cluster-head to ensure fairness in cluster-head selection mechanism. At the timeout expiry all the nodes go into INITIAL state from the DONE state.
2) Cluster Recovery protocol: this protocol is used when a cluster member loses its connection with cluster-head and goes into LOST state. It helps the node in discovering a new cluster-head. It is proven by Huang et al. [
There is another idea of mobile agents for the intrusion detection systems. Due to its ability to move through in a
large network, each mobile agent is assigned a single particular task. Different mobile agents are distributed over a large network to distribute the intrusion detection task among all nodes. There are several advantages of mobile agents. Since each mobile agent is assigned a single task so the intrusion detection overhead is distributed among the whole network and a lot of energy is saved from consumption. IDS also become a fault tolerant. In case of the failure of any node the mobile agent of the other node handles the situation.
Multi layered IDS may produce better results than single layered intrusion detection systems because different attackers use different network layers to attack. So multi layered IDS is the better approach because on the spot detection and remedy is more effective than later diagnosis and therapy but multi layered IDS has its own pores and coins. For example it may produce more processing overhead on the nodes than the single layered IDS’s. The idea of cross layer analysis and intrusion detected was proposed by Parker and his colleagues [
Watch dog rating is a special technique to improve the performance of the network even in the presence of nasty nodes. Let’s have a look at working principal of the watch dog as it explained with detail in [
Routing is the core of communication in MANETs so routing protocols are the hot target for security attacks. In the sub-section of section 5.3 we have discussed in detail different security attacks against routing protocols. Now we discuss the proposed solutions to these attacks.
Wormhole attack is the one of the major attacks against the routing protocols [
1) Temporal leash: it restricts the upper bound on life time of the packet. Every node calculates the expiry time “te” and padded it into its packets so that it may not travel far farther than certain distance “L”. At the arrival of packets each node evaluates the “te” contained in packets, compare it with the current time and decide about, whether the RREQ was possibly tunneled through a malicious high speed link? To implement temporal leashes the TIK protocol is used. TIK stands for TESLA with instant key disclosure and it is the extension of TESL protocol [
2) Geographical leash: it ensures that the receiver is within the certain distance range from the sender. Every node must be provided with respective geographical position and the transmission time of the packets. This can be used along with signature to catch attackers that are supposed to be residing on multiple locations.
Based upon geographical location, a similar solution was also proposed by D. Dhillon et al. [
Rushing attack is kind of denial of service attacks that acts against routing protocols On-demand protocols are more susceptible to these attacks where rout discovery is subverted by using duplicate route suppression during process of route discovery [
1) Secure neighbor detection: it allows the neighbors to verify each other that they are within the maximum transmission range of each other. Now if a node “X” determines in advance that node “Y” is neighbor (within allowable communication range), it sign a Route delegation message allowing the “Y” for further forwarding of the request. Now when “Y” determines that “X” is within a allowable range it accepts the delegation message of node “X”. in this way genuine neighborhood of the nodes can be guaranteed.
2) Randomize Selection of R_REQ: it ensures the randomize selection of R_REQ for further forwarding which replaces the duplicate suppression in on-demand protocols. So the path with low latency is more likely to be selected but not guaranteed. Relationship between different security mechanisms is elaborated in
Different efforts were made to combat against black hole attacks. Designing of security-aware ad hoc routing protocol SAR [
each trust level packets are encrypted with a shared symmetric cryptographic key. Nodes with different trust levels remain unable to read encrypted packets. Whenever a node receives a RREQ from a particular source, it verifies the trust level associated with it from the security metric information attached with packet. On satisfaction, the packet is forwarded otherwise it is dropped by intermediate nodes. Likewise when the packets reach at destination, they are evaluated. If destination is satisfied of complete end-to-end path then it generates a RREP otherwise source is notified to adjust its security level to any other alternative route. Another approach to combat against black hole attacks was introduced by S. Lee et al. [
In [
In [
Similarly in [
B. Kannhavong et al. [
In order to protect MANETs against replay attacks C. Adjih et al. [
Throughout the paper we addressed each and every aspect of the MANET that is concerned with the security in any way at any extent. We started from the scratch; we discussed the architecture of MANET, vulnerabilities of the MANET, different security threats and even different types of security attacks in this paper. Non-stable architecture of MANETs and wireless vulnerabilities helped us to understand, why the MANETs are easy to attack. Layer wise network attacks and their proposed solutions enlightened us to understand the way of action and execution plan of different network attacks. From the whole scene one thing is crystal clear that MANETs will go on the way in the same fashion without any major change. Wireless is their natural ally as a communication medium; there is no substitution or alternative of wireless medium. These things will persist at least in near future unless the emergence of any new technology. Even though there is the invention on any substitution, it will take long to switch to that particular technology. At present we have to accept the MANETs and wireless vulnerabilities as a good evil. We can make effort to improve the things by keeping in mind these vulnerabilities. For a moment if we think positively, in fact we are blessed with a great room, from research point of view due to these vulnerabilities of the MANET and wireless medium. A lot of research work has been done by the researchers but still there is a lot to do. Network security is a dynamic issue. New and new attacks are getting introduced. So the constant efforts are required to make the MANET more and more secure. There is a lot of research scope in the field of secure routing. Intrusion detection and its healing is another research hot spot for the network security researchers. Most of the intrusion detection systems and techniques look very beautiful and convincing on papers but still applied research work is waiting for the researchers in certain areas of network security. There is need to implement, evaluate and improve these intrusion detection systems practically.
MANETs are the networks of the day and wireless is their natural ally as a communication medium. We discussed different vulnerabilities of wireless medium in detail. For a moment if we think positively, in fact we are blessed with a great opportunities, from research point of view due to these vulnerabilities of the MANETs and wireless medium. A lot of research work has been done by the researchers but still there is a lot to do. There is a lot of research scope in the field of MANETs security. Routing is the core of communication in networks therefore routing protocols are high valued target for the attackers. Most of the known routing attacks against MANETs take the advantage of the different vulnerabilities of the routing protocols therefore development of new secure versions of the routing protocols is most demanding area for the researchers, now a days.
A lot of work has been done by the researchers in finding and combating against different attacks against routing protocols but still there is wide research scope in detection of newly born security attacks and their solutions. Up till now, most of the known attack detection techniques are attack specific. Even their proposed solutions are either specific to particular attack or protocol. Likewise most of the proposed solutions are not efficient in the presence of multiple cooperative malicious nodes. From research point of view it is the open issue to develop a generic attack detection and prevention mechanism to handle a variety of network attacks. System based intrusion detection system (IDS) is another attractive research hot spot in MANETs. Most of the intrusion detection techniques and combating systems are designed to handle security issues at particular network layer of the OSI model. There are great research opportunities to develop intrusion detection systems based upon cross layer analysis of security attacks.
We have discussed in detail different architectures of the intrusion detection systems. Intrusion detection systems utilize different strategies to find out possible intrusion. Development of a specification based smart intrusion detection system is another demanding area for the researchers. Researchers may conduct a research to find new constraints to improve the defined set of normal behaviors of the network. Known anomaly detection and healing techniques look very beautiful and convincing on papers but still applied research work is waiting for the researchers in certain areas of network security. A lot of work has been done in the field of intrusion detection systems but running cost of detection systems is still an open research issue for the researchers. Researchers may conduct their research to minimize the running cost of the intrusion detection system in the presence of battery constrained nodes.
I, personally feel extremely beholden to Prof(R) Ghulam Qasim Shah who with self-abnegation graciously spared his time and reviewed this paper.
AsifShabbir,FayyazKhalid,Syed MuqsitShaheed,JalilAbbas,M.Zia-Ul-Haq, (2015) Security: A Core Issue in Mobile Ad hoc Networks. Journal of Computer and Communications,03,41-66. doi: 10.4236/jcc.2015.312005