Infrastructures and algorithms for distributed anomaly-based intrusion detection in mobile ad-hoc networks

This paper addresses one aspect of the problem of defending mobile ad-hoc networks (MANETs) against computer attacks, namely, the development of a distributed anomaly-based intrusion detection system. In a general sense, the proposed system is a co-located sensor network, in which the monitored variable is the health of the network being monitored. A three level hierarchical system for data collection, processing and transmission is described. Local IDSs (intrusion detection systems) are attached to each node of the MANET, collecting raw data of network operation, and computing a local anomaly index measuring the difference between the current node operation and a baseline of normal operation. Anomaly indexes from nodes belonging to a cluster are periodically transmitted to a cluster head, which fuses the node indexes producing a cluster-level anomaly index. Likewise, cluster heads periodically transmit these cluster-level anomaly indexes to a manager node, which fuses the cluster-level indexes into a network-level anomaly index. Due to network mobility, cluster membership and cluster heads are time varying. The paper describes: (1) clustering algorithms to update cluster centers; (2) machine learning algorithms for computing the local anomaly indexes; (3) a statistical scheme for fusing the anomaly indexes at the cluster heads and at the manager. The statistical scheme is formally shown to increase detection accuracy under idealized assumptions. These algorithms were implemented and tested under the following conditions. Routing schemes: AODV (ad-hoc on demand distance vector routing) and OLSR (optimized link state routing); mobility patterns: random walk mobility model and reference point group mobility at various speeds; types of attacks: traffic flooding denial-of-service and black hole. For performance evaluation we determined the ROC (receiver operating characteristics) for various operational conditions at the nodes, cluster heads and manager. The overall res- - ults confirm the effectiveness of the infrastructures and algorithms described in the paper, with detection accuracy generally improving as we move up in the hierarchy, i.e. detection accuracy at the cluster level is higher than at local level, while network-level detection outperforms cluster-level detection