WIRELESS MESH NETWORK CROSS-LAYER INTRUSION DETECTION

Intrusion is something which is unsolicited activity and which might be used to interrupt the functions of wireless network. If we talk about wireless networks, having centralized monitoring policy; therefore it is very much easy to detect and eliminate intrusions efficiently. But when we look forward to wireless scenario, especially in the multi hop wireless network, intrusion activities are more because of the lack of centralized monitoring policy. Wireless network is very much vulnerable to different kinds of attacks and intrusions at different OSI layer due to mainly co-operation among their noses. Intrusion detection is the most fundamental component of defense in depth strategy, are capable to identify security attacks and raise an alarm to inform authorities. Intrusion detection system, a passive defense strategy informs about attacks to network administrator because the attacks come easy to wireless network. Intrusion detection system is a second line of defense. Lots of IDSs are proposed in the literature, capable to detect attacks in a particular layer of the OSI model. Here we are proposing Cross layer IDSs, which is capable to detect multiple layer possible attacks.


INTRODUCTION
Wireless Mesh Network (WMN) has primarily two types of architectures such as infrastructure-based and infrastructure-less WMN (Khan et al., 2008a). Infrastructure-based network has mesh clients, mesh routers and fixed and wired Mesh gateway. "Base station" is known as bridge of the network. Infrastructure-based network is no doubt very desirable service to provide ubiquitous broadband service for a wide range of geographical area. Mesh routers form the infrastructure for clients in Multi hop fashion and it is very easy to implement and extend. Mesh router can be connected to internet by gateways and form a mesh of self-healing link among themselves. Infrastructure-based WMS supports both static and mobile nodes.
Infrastructure-less WMN is a kind of peer-to-peer or ad hoc networks among client device in which there is no support of Mesh router or gateway. Infrastructure-less network router is not necessary because nodes have routing capability between sources to destination. In this case highest level communication occurs. It is extremely necessary to design such mechanism for WMNs which use fewer resources and light weight. The reason is that infrastructure-less WMNs have many design constraints such as low energy, low bandwidth, limited processing, memory constraints and are highly vulnerable to many security attach such as passive, active and Denial of Service (DoS) (Khan et al., 2008b). There are lots of security issues present in the multi hoop decentralized network such as WMN. A network is said to be secure, if it ensure all time availability, data integrity and provides privacy for both user and data Science Publications JCS in transit (Djenouri et al., 2005). Many solutions of WMN security have been proposed, however, those solutions are either for few security attacks (Khalid and Mahboob;Meghanathan, 2013). Similarly, majority of the solutions so far are proposed to secure network layer of WMN (Khan et al., 2010a;Shah et al., 2013). Security mechanisms of network layer are only to tackle few attacks, but they are not fully able to take care the entire physical layer and MAC layer attacks. There is a security mechanism known as Light weight intrusion detection system for WMN, are powerful, small and flexible to be used as permanent elements of network security. Lightweight IDS can be easily configured and deployed in any node of the network. The nature of IDS is passive and does not provide primary defense against security attacks. Many classes of IDSs are designed, in which rule based uses attack signature in a database to detect intrusions, while anomaly based uses network patterns and any deviation in pattern, consider as an attack (Northcutt and Novak, 2002;Khan et al., 2010b). Intrusion and attacks are detected by IDS at a particular layer but cannot detect other layer so we use cross layer methodology, capable to identify the different layers of attack and intrusions and raise an alarm. The concept of cross layer methodology says that for decision making different parameters of different layers should be considered. We analyze different cross layer IDSs designed for WMNs. In our research paper, we propose cross layer based framework of IDS for WMN. The proposed IDS is tested in different scenarios. Regardless of its limitations, the proposed mechanism is can be highly efficient in detecting various security attacks.
The paper is organized as follows. Section 2 analyzes different IDS. Section 3 presents proposed IDS. Results are described in section 4. Section 5 consists of a conclusion.

RELATED WORK
Network security is a prominent requirement of multi hop wireless network and IDS is the more classical approach of network security. Intrusion detection system is a passive defense, trying to differentiate abnormal activities from normal one. IDS monitor events occurring in networks and alarm depending on how they evaluate the network traffic. Different types of IDS are available in the literature such as anomaly IDS, network or host based IDS and Passive IDS. Most of the IDSs are designed to operate on the network layer and detect only network layer anomaly. Since multi hop wireless network is vulnerable to security attack at various layers, i.e., physical layer, data link layer, network layer, transport layer and application layer. So cross layer IDSs have a unique feature to monitor different cross layer attacks. In literature, many IDSs are proposed (Chen et al., 2007). Some security mechanism are protocols based such as Watchdog and pathraters (Rafsanjani et al., 2008;Caballero, 2006). Watchdog method (Rafsanjani et al., 2008) allows detecting misbehavior node. These are used to select secure path and are capable to detect network layer attach by listening all the nodes in promiscuous mode. In a sure path every node should forward the traffic if any node does not, then it is tagged as misbehaved. CONFIDANT (Rocke and Demara, 2006) is another secure mechanism which is used to observe neighbor activity and observe misbehavior. CONFIDANT is an improved version and solve Watchdog and pathrates problem. A misbehaving node cannot be used in routing and cannot send packets. TARA (Shrobe et al., 2007) is a path secure architecture which encrypts the packets and also report about broken paths. Cross layer design consists of feedback system and provide information via layer boundary. Unlike OSI model, cross layer design removes strict boundaries between layers and allow communications. Cross layer design is a relatively new security technique which provides a common platform for different layers to exchange parameters so that to detect multi-layer security attack . IDS systems proposed by (Da Silva et al., 2005;Onat and Miri, 2005) contain Consist of nodes known as "monitor mode" in the network, which are responsible for monitoring their neighbors, looking for intruders. Wang et al. (2009) describes crossed layer based anomaly detecting in WMN (Wang et al., 2009) and develop a prototype using the concept of cross layer information exchange between the data link layer and the network layer. Boubiche and Bilami (2012) proposed a cross layer intrusion detection agent for distributed networks (Boubiche and Bilami, 2012). In this scheme parameter is collected from different layer by data module. Khan et al. (2010b) proposed a real time cross layer detection mechanism for WMNs ). The network layer and MAC layer parameters are exchanged in this mechanism for detection of different kinds of attack. This method explains the severity of attack by maintaining three different profiles. The detection rate of this scheme is high, but can only detect flooding attacks. Thamilarasu et al. (2005) proposed a cross layer IDS for distributed ad-hoc network (Thamilarasu et al. 2005). The proposed scheme have two level of intrusion detection, level 1 and 2, information of data link layer is exchanged with network layer to detect malicious activity. This scheme is good for packet misdirection and packet drop attack. Liu et al. (2006) proposed a cross layer based IDS with a combination of data mining technique. A specific feature sets are defined to locate the attacks within one hop range (Liu et al., 2006). Here we propose a novel cross layer intrusion detection system where MAC layer and network layer parameters are exchanged and provide a wide range of protection against many security attacks.

JCS
Paper is one part of the entire proceedings, not an independent document. Please do not revise any of the current designations.

PROPOSED CROSS LAYER IDS
The proposed IDS has a capability to detect multiple layers of attacks by using the concept of cross layer methodology in which parameters are exchanged in different layers.

Assumptions
Here we take infrastructure less network and assume WMN consist of both static and mobile nodes. Infrastructure network has no support of routers and gateways. All the nodes in the network have routing capability to communicate with its neighbors and form multi hop communication model.

Design Considerations
Since infrastructure less WMN has many limitations in terms of energy, data rate, memory, processing and mobility. Ideal IDS for WMNs should be: • Lightweight in nature to preserve the limited resource • The capability to detect multi-layer security attack

Framework
Our proposed IDS work at each node, as soon as an attack is detected, information of malicious activity is passed to another neighbor node in communication range. The proposed IDS consist of 5 modules: Data collection module, analysis module, detection module, classification and alarm module. The framework is presented in Fig. 1.

Interaction Interface
The interface is a contact point between layers and applications. The main objective of the interface is to manage all sub interfaces and provide access to lawyers.

Cross Layer Data Module
Cross layer data module houses data in a very unique way so that every layer protocol access it efficiently. It also maintains up to date data for the cross layer interface. Cross layer data collection module collects: • Signal strength and battery power from physical layer • Mobility, data rate, link parameters and throughput information from MAC layer • Packets sent, packets received, TTL, frequency of route failure information from the network layer • Congestion and transmission control information from transport layer All the collected parameters are forwarded to the analysis module to analyze any anomaly and this IDS maintains normal behavior of each and every parameters. Any difference in normal behavior is seen and information fetch to detection and classification module. The most important part of our framework is attack module which detects type of attack by signature of various attacks. When an attack is detected another module raises an alarm Table 1.

Proposed Algorithm
Proposed IDS houses some new features with having a traditional layer architecture. The basic idea of IDS is to detect multilayer intrusions and attacks. At the physical layer every node knows the signal strength send by its neighbor node, so any anomaly is detected in the physical layer by comparing the difference in signal strength. Our proposed IDS takes different parameters from different layers and detect any undesirable behavior of the node and raise an alarm.

Method of Information Exchange
All layers work independently in the traditional protocol stack, but in case of cross layer methodology information is exchanged for optimization. Our proposed IDS is very much capable to detect several attacks by exchanging physical layer parameter in application layer and then communicate with the network layer. Data link layer and transport layer provide information to the network layer. All the parameter is calculated in the network layer Fig. 2.

EXPERIMENT
In Wireless mesh network, an attack on one layer might be affecting the performance of other layers. For example, flooding attack, having malicious node continuously sends the Synchronization packet (SYN) to every node in a network by using fake IP address to bring a network and service down. Flooding is Denial of service attack not only create network congestion, but also battery exhaustion attack which is physical layer attack. Similarly packet drop attack/Black hole attack occurs when router becoming compromised and relay packet instead of discarding. Result of a packet drop attack is end to end delay at the data link layer. So we are trying to say here, attack in one layer affect the working on another layer.
Here we generate fewer results in Network Simulator 2 (NS2) to validate a flooding attack and trying to see the effect in another layer such as congestion control in the transport layer, end to end delay in data link layer and effect on battery power in physical layer. Here we measured two metrics in our experiment: • Detection rate (True positive rate) defines attacks are correctly measured • False rate (False positive rate) defines abnormal behavior due to intrusion To measure the performance of IDS we implement to attack, i.e., flooding and Black hole attack.
Our results consist of attack detection and profile training (normal network activity).Simulation parameters are given in the Table 2.

RESULTS
Here we are using the NS2 simulator and implement and lunch flooding attack Table 3 where we send thousands of packets to the destination for congestion or service interruption Fig. 3.
We launched three network layer attacks, namely black holes, gray hole and routing loop attacks . Figure 4 shows detection rate of proposed IDS in case of three network layer attacks.
We also compared the proposed cross layer IDS with a single layer IDS in the presence of different attacks Table  4. The single layer IDS operates in network layer only and is not capable to interact with other layers Fig. 5.

CONCLUSION
In this study, we present Cross Layer based intrusion detection system which works on a normal profile, comes from the physical layer, data link layer, transport layer and application layer. Experiments show that Cross layer intrusion detection system is more powerful than single layer intrusion detection system because single layer intrusion detection system can detect only network layer attack. Regardless of its limitations, our proposed cross layer intrusion detection system detects multiple layer attack. Our future work will focus on Jamming attack at the physical layer. We will implement such schemes which can detect unknown attacks.