A MOBILE AGENT BASED INTRUSION DETECTION SYSTEM ARCHITECTURE FOR MOBILE AD HOC NETWORKS

Applications of Mobile Ad Hoc Networks (MANETs) have become extensively popular over the years among the researchers. However, the dynamic nature of MANETs imposes a set of challenges to its efficient implementation in practice. One of such challenges represents intrusion detection and prevention procedures that are intended to provide secured performance of ad hoc applications. In this study, we introduce a mobile agent based intrusion detection and prevention architecture for a clustered MANET. Here, a mobile agent resides in each cluster of the ad hoc network and each cluster runs a specific application at any point of time. This application specific approach makes the network more robust to external intrusions directed at the nodes in an ad hoc network


INTRODUCTION
Security issues impose various challenges to applications on a MANET. Dynamic nature of MANET makes it even more challenging. Intrusion detection and prevention, as one of the major security issues, has been the centre of investigation among most of the researchers of late. Several Intrusion Detection System (IDS) architectures have been proposed in the literature. In this study, we introduce an IDS architecture for clustered ad hoc networks. In this proposed architecture, each cluster in the network implements a Mobile Agent (MA) that caters all the functionalities including intrusion detection and prevention measures during the entire lifetime of the network. In difference with all other proposed IDS Architectures, it assumes all the activities in a cluster to be controlled by a dedicated MA. In addition, each cluster runs a specific application at any point of time and can switch over to another application after accomplishment of the current one. This architecture can be hopefully implemented using network simulators such as NS-2 or Qualnet in order for justification of optimal intrusion detection and prevention in a clustered ad hoc network.
The rest of the study is organized as follows.

RELATED WORK
A huge spectrum of research works on IDS architectures is evident from the literature. Jacoby and Davis (2007) proposed a two-stage stand alone IDS architecture, where the malicious activities across an ad hoc network can be successfully identified by continuously monitoring the battery power consumptions in the network. However, the authors do not consider the packet level intrusion in their proposed architecture and this architecture can induce attacks related to power consumption only, although the authors claim that 99% of intrusions can be successfully identified by it. IDS architecture proposed by Nadkarni and Mishra (2004), relies on a compound detection policy for reducing the false positives during Science Publications JCS anomaly detection, where thresholds are adjusted to determine malicious behavior. A stand-alone IDS architecture for resource-constrained MANETs was proposed by Lauf et al. (2010) that comprises of two separate detection engines on every node: (i) Maxima Detection System (MDS), meant for rapid identification of potential threats and calibration of the second detection engine; (ii) Cross-Correlative Detection System (CCDS), used for identification of malicious behaviours. Wang et al. (2009) proposed a cooperative IDS architecture which includes a detection engine for anomaly detection that solely relied on social network analysis strategies. This approach imposes less computational overhead. Another cooperative IDS architecture devised by Bose et al. (2007) assumes deployment of three detection engines on every node: (i) MAC layer detection engine; (ii) routing layer detection engine; and (iii) application layer detection engine. Implementation of multi-layer detection policy facilitates enhancement in detection accuracy since attacks at upper layers lead to legitimate events at the lower layers and vice versa. Effectiveness of this architecture was successfully established by the authors via extensive simulations using GloMoSim (Zeng et al., 1998). An IDS architecture with a two-tier detection policy (one for local detection and one for global detection), devised by Razak et al. (2008), implemented two detection engines at the first tier. The first tier collects local audit data and verifies with signature-based method. If it fails in anomaly detection, then the second engine is calibrated. If both of these engines are unable to detect an anomaly, then the engine at the second tier is triggered that collects audit data from its neighbours, called as friends (trusted nodes) and performs anomaly detection in the same manner as the first tier using signature-based policy. However, this architecture is identified to be more complex and incurs significant computational load. With an intention to reduce battery consumption along with anomaly detection, a cooperative IDS architecture was addressed by Ramachandran et al. (2008) using light weight agents. A routing anomaly detection IDS architecture was suggested by Sun et al. (2003) that successfully identifies routing disruptions. It uses frequent updates in the routing tables and performs anomaly detection using two parameters: (i) Percentage of Changes in Routing entries (PCR) and (ii) Percentage of Changes in number of Hops (PCH). Here, the authors use a modified Markov Chain anomaly detection (Jha et al., 2001) technique in order for performing anomaly detection. However, this approach is incapable of determining all possible attacks as it concentrates only on routing anomalies. Furthermore, an improved anomaly detection architecture was proposed by Sun et al. (2007), which implemented another detection engine in the previously discussed architecture and it relies on regulative thresholds, consequently addressing most of its drawbacks. Kominos and Douligeris (2009) proposed a cooperative IDS architecture that incorporates a multi-layered detection strategy in order for detection of malicious behaviours. In this architecture, three modules are deployed on every host: (i) collection module for collecting audit data; (ii) detection module for anomaly detection; and (iii) alert module for raising an alarm. A hierarchical IDS architecture, using a modular approach to design, was proposed by Chuan-Xiang and Ze-Ming (2009) that can be used for clustered ad hoc networks, where a node with maximum battery power can be elected as cluster head. Each node in this approach comprised of four modules: (i) network detection module for network packet monitoring within a cluster; (ii) local detection module for generating alert after identification of malicious activities; (iii) resource management module for continuously monitoring battery power of the cluster head and notify the monitoring state managing module in case it goes below a predefined threshold; and (iv) monitoring state managing module that monitors if the network detection module is active. Otrok et al. (2008) devised another hierarchical IDS architecture aimed at balancing resources among the nodes of the network within a cluster, emerging from intrusion detection procedures. Two IDS architectures were proposed by Marchang and Datta (2008): (i) Algorithm for Detection in a Clique (ADCLI) and (ii) Algorithm for Detection in a Cluster (ADCLU). ADCLI is similar to ADCLU with the only difference that within ADCLI, each node in it has every other node in the clique as the neighbor. Here, intrusion detection in each cluster/clique is performed independently and the cluster/clique head, on identification of intrusion, notifies other clusters/cliques to trigger intrusion detection process. An optimal hierarchical IDS architecture addressed by Manousakis et al. (2008) using a hierarchical tree-based structure that aggregates detection data upwards, i.e., from leaf nodes to the root node, during intrusion detection procedure. This approach provides a more robust structure and intrusion can be determined at each level of the tree. Intrusion detection is carried out for attacks affecting only the routing infrastructure in the clustered IDS architecture proposed by Deng et al. (2006). Mishra et al. (2009) used an application-specific approach to identification of malicious activities within an ad hoc network, where a node can be blocked from forwarding and sending packets if it violates the service agreement of Science Publications JCS the application running in it. We have incorporated the same approach in our proposed model. Pattanayak et al. (2009) proposed a distributed cluster scheme, where an ad hoc network can be split into grid clusters and a cluster head can be elected with respect to available battery power. In our approach, we too incorporate the grid clustering approach and similar method for cluster head election procedure. Farhan et al. (2008) propose a mobile agent based IDS architecture aimed at decreasing the number of false positives generated in a cooperative intrusion detection system. Sen (2010) proposes a distributed cluster based IDS architecture for addressing the security vulnerabilities and detection of attacks. It uses a dynamic hierarchical approach, where the intrusion data collected by nodes, are incrementally aggregated, analyzed and reduced in volume as it flows upwards to the cluster head and the cluster heads communicate among themselves to perform cooperative intrusion detection. Nakeeran et al. (2010) have come up with an agent based anomaly IDS architecture that uses agents and data mining techniques for prevention of intrusion.
We also investigated a set of intrusion detection algorithms devised by variety of authors that can be helpful to implement/evaluate intrusion detection process. Evaluation of IDS architectures can be achieved using the linear classifier, Gaussian mixture model and Support vector machine approaches, as suggested by Mitrokotsa et al. (2008). Dynamic Source Routing (DSR) protocol was modified by Nuruzzaman et al. (2007) with an intention to enhance the security measures and accommodate intrusion detection in an ad hoc network. Bose et al. (2007) came up with a novel intrusion detection algorithm that takes into account intrusion detection at three layers: MAC layer, routing layer and application layer. A cross layer intrusion detection algorithm is proposed by Shrestha et al. (2010) in order to enhance detection accuracy, where malicious nodes can be successfully discovered and different Denial Of Service (DOS) attacks can be identified and information across different layers of protocol stack can be explored. Rahuman and Athisha (2012)

OUR PROPOSED IDS ARCHITECTURE
Our proposed architecture is depicted in Fig. 1. The ad hoc network is split into grid clusters. The number of clusters in this architecture is assumed to be a power of two. Each cluster is assigned with a cluster ID. Zone of the node is designated as Cluster Head (CH) and all other nodes as Cluster Members (CM). Election of a CH is carried out with respect to the available battery power in the node at the point of initiation of an application. Thus, the node with maximum battery power available is elected as the CH.
We have taken the following assumptions in our proposed model: • Each cluster runs a specific application at any point of time • The CH does not change during the entire lifetime of the current application • All communications among the nodes in a cluster are performed via the CH • Once the application resumes, no node can leave the cluster until the application terminates its job The functioning of our model is detailed below. A dedicated Mobile Agent (MA) is incorporated in each cluster. The internal components of MA are shown in  Fig. 3. It includes source address, destination address, application ID, packet length, data field and CRC for error detection. A threshold for the packet length is predefined for each application. DM compares the source address, destination address, application ID and packet length. If a mismatch occurs in source and destination addresses that can be verified with RM, then MA informs CH to drop the packet and to block the respective node following which the node is debarred from taking part in communication. If the application ID does not match or the packet length exceeds the threshold, then only the packet is dropped by the CH. In both of these cases, an intrusion is inferred and the intrusion Prevention Module (PM) is triggered to take necessary actions.
In addition to the above, inter cluster communications are permissible here. For example, a cluster running a multimedia application, may require the service of a file sharing application running in another cluster. During such inter cluster communications, the CHs exchange packets that are monitored by the respective MAs. A packet can be sent from a cluster to the desired cluster only if the MA of the sending cluster approves it, discarded otherwise. After receiving a packet from another, if the destination address does not match with the list of registered nodes in the receiving cluster, then MA informs CH to drop the packet and at the same time, receiving CH notifies the sending CH regarding this event. After the accomplishment of the current application, nodes of the cluster can move out to another cluster and new nodes from other clusters may join the cluster. Hence, the registration process is again facilitated by MA for a desired new application and accordingly, the new SA is incorporated. Subsequently, new application ID must be added to the packets of the newly initiated traffic.
The advantages of our model can be summarized as: • The architecture is simplified enough to implement • A much higher rate of intrusion detection can be achieved that is to be established in future through extensive simulations

JCS
• The model is applicable to a variety of applications • Simplified communication since no multi-hop communication is allowable • Intrusion detection procedure is simple enough as the DM monitors only the CH The drawbacks may be concluded as: • The MA may happen to be overloaded with multiple functionalities that may lead to errors • It may not optimally run real time applications with strict time bounds as the communication is time consuming for the reason that all packets are routed through the CH • Deployment cost may appear to be very high and may not conform to the needs of a customer

CONCLUSION
Intrusion detection in localized ad hoc networks may very often impose several challenges to secured communication. Simplified design and optimal rate of detection are the key factors to deployments of such networks. In this study, we introduce a mobile agent based IDS architecture that can cater to these requirements. However, the effectiveness of this architecture needs to be tested through extensive simulations with a variety of applications, which is our anticipated future work in this context.