An Analysis of Monitoring Based Intrusion Detection for Ad Hoc Networks

Several intrusion detection techniques proposed for mobile ad hoc networks rely on each node passively monitoring the data forwarding by its next hop. This paper presents quantitative evaluations of false positives and their impact on monitoring based intrusion detection for ad hoc networks. Experimental results show that even for a simple 3-node configuration, an actual ad hoc network suffers from high false positives; these results are validated by a Markov model. However, this false positive problem cannot be observed by simulating the same network using popular ad hoc network simulators such as ns- 2, OPNET or Glomosim with default noise models. To remedy this, a probabilistic noise generator model is incorporated in the Glomosim simulator. With this revised noise model, the simulated network exhibits the aggregate false positive behavior similar to that of the experimental testbed. Simulations of larger (50- node) ad hoc networks indicate that a monitoring based intrusion detection has very high false positives which impact its ability to mitigate the attacks.