Science and Technology Journal, Vol.

6 Issue: II ISSN: 2321–3388

Enhanced Cooperative Tamper Evident Agent

Based Anomaly Intrusion Detection in
Ad Hoc Networks
P. Sreenivsulu1 and Dr. K. Ramesh Reddy2
Research Scholar, Department of Computer Science, Vikramasimhapuri University-Nellore
1
2
Assistant Professor, Department of Computer Science, Vikramasimhapuri University-Nellore
E-mail: [email protected], [email protected]

Abstract—In recent years with increasing number of wireless devices Ad Hoc Networks become a vital technology.

But these networks are highly vulnerable to attacks due to several reasons such as changing topology, open medium and
lack of centralized monitoring. Current intrusion detection systems are based on either rule based or behavior model.
Š‡‡ˆϐ‹ ‹‡ ›‘ˆ•— Š ‹•„ƒ•‡†‘Š‘™ƒ —”ƒ–‡–Š‡›‹†‡–‹ˆ›–Š‡ƒ––ƒ •Ǥ  Ž—•–‡”‹‰ƒ Ž—•–‡”Š‡ƒ†‹••‡Ž‡ –‡†ƒ•
coordinator for performing transmissions in both inter and intra cluster environment. There are many models for choosing
a cluster head in Ad Hoc environment. However if the cluster head itself is a compromised node then the cluster head
can launch attacks without being detected since its IDS is already malfunctioned. In this paper we propose an “Enhanced
Cooperative Tamper Evident Agent Based Anomaly Intrusion Detection System”, which helps in identifying the attacks
more accurately even if cluster head is compromised.

Keywords: IDS, Clustering, Cluster Head, Agent, Election

  extremely susceptible to a variety of attacks (Deng

et al., 2002). Hence there is a need for more security
The technological growth in wireless networks and in MANETs. MANETs are much more vulnerable
wireless devices such as PDA, Laptop and other to attacks than wired (traditional) networks
digital devices, the importance of Mobile Ad Hoc due to the open medium, dynamicallychanging
Networking has become apparent. A mobile ad hoc network topology, cooperative algorithms, lack of
network (MANET) is a collection of mobile devices centralized monitoring and management point, and
that cooperatively communicate with one another Žƒ  ‘ˆ ƒ Ž‡ƒ” Ž‹‡ ‘ˆ †‡ˆ‡•‡Ǥ – ‹• ‘ˆ–‡ †‹ˆϐ‹ —Ž–
without any pre-established infrastructure such as to distinguish between intrusions and legitimate
centralized access point. Multi-hop routing is used operations or conditions in MANET because of the
whenever the nodes are not in each other’s signal dynamically changing nature and volatile physical
range. To perform the multi hop routing, the nodes environment. Intrusion detection thus requires
in the ad hoc network act as routers and pass the huge amounts of evidence gathering and sound
messages to those nodes that are not in the signal analysis. Building effective ID models requires a
range. The ad hoc network is useful in situation systematic approach. Some models are developed for
where topological or terrestrial conditions demand automatically computing anomaly detection based
complete distributed network system without any on the correlations among a large set of features. The
ϐ‹š‡† ‹ˆ”ƒ•–”— –—”‡Ǥ Š‡ ‰‡‡”ƒŽ Šƒ”ƒ –‡”‹•–‹ • ‘ˆ Intrusion Detection System (IDS) plays a vital role in
MANETS such as limited battery power, mobility providing the security for ad hoc networks. IDS can
and unreliable transmission medium make them be categorized in to the following groups.
DOI-10.22232/stj.2018.06.02.02
13
 Sreenivsulu and Reddy

ĎČēĆęĚėĊĆĘĊĉ data analysis and mining (ADAM) proposes applying data

mining techniques to discover abnormal patterns in large
In signature based IDS the IDS monitor the network and ƒ‘—–•‘ˆƒ—†‹–†ƒ–ƒȋ‡Ǥ‰Ǥǡ‡–™‘”–”ƒˆϐ‹  ‘ŽŽ‡ –‡†„›
compare actual behavior with known suspicious patterns dump, which is a program used to sniff and store packets
that are maintained in a database of attack signatures. –”ƒ•‹––‡† ‹ –Š‡ ‡–™‘”ȌǤ  —•‡• Žƒ••‹ϐ‹ ƒ–‹‘
If there is a match then an alert is generated. Most of the methods of data mining for intrusion detection. The
intrusion detection systems of this type are based on architecture of ADAM is shown in Fig. 1.
Žƒ••‹ϐ‹ ƒ–‹‘‡–Š‘†•ȋ— œƒƒ† —˜‡ʹͲͳ͸ȌǤ—––Š‡•‡
•›•–‡•ƒ”‡‘–‡ˆϐ‹ ‹‡–™Š‡–Š‡ƒ––ƒ –›’‡‹•‘–‘™Ǥ
The reason is the database does not contain the signature of
‡™ƒ––ƒ ǤŠ‹•‹†‘ˆ•›•–‡•‹•‡ˆϐ‹ ‹‡–ˆ‘”‘™–›’‡
of attacks.

ēĔĒĔđĆĞĆĘĊĉ
In Anomaly based IDS the system behavior is compared
™‹–Š –Š‡ „ƒ•‡ Ž‹‡ –Šƒ– †‡ϐ‹‡• –Š‡ ‘”ƒŽ •–ƒ–‡ ‘ˆ –Š‡
•›•–‡™Š‹ Šƒ›‹ Ž—†‡’”‘–‘ ‘Ž•ǡ–”ƒˆϐ‹ Ž‘ƒ†ƒ†’ƒ ‡–
Fig. 1: Architecture of ADAM
size. Deviation from the base line indicates that there is an
The limitation of ADAM is that it cannot detect stealthy
abnormal activity and raises an alert. Some times normal
attacks. In other words, it can detect an attack only when it
„‡Šƒ˜‹‘” ƒ„‡‹• Žƒ••‹ϐ‹‡†ƒ•ƒƒ––ƒ Ǥ
involves arelatively large number of events during a short
period of time. This limitation occurs because ADAM raises
ĞćėĎĉ  an alarm only when the support of an unexpected rule (i.e.,
Hybrid IDS makes use of both signature based and anomaly association of event attributes) exceeds a threshold. Indeed,
based to gain the advantages of both the methods. This this limitation is not unique to ADAM; most of the IDSs
method tries to increase detection rates of known attacks suffer from the same problem.
and decreases false positive rates of new attacks (Buczak K.-C. Khor, C.-Y. Ting, and S. Phon-Amnuaisuk, proposed
and Guven 2016). Dz ƒ• ƒ†‡† Žƒ••‹ϐ‹‡” ƒ’’”‘ƒ Š ˆ‘” ‹’”‘˜‹‰ †‡–‡ –‹‘
rates on rare attackcategories in network intrusion
ēęėĚĘĎĔēĊęĊĈęĎĔēĎē detection” (Khor et al., 2012).

Intrusion detection in MANET involves comprehensive Š‡’”‘’‘•‡† ƒ• ƒ†‡† Žƒ••‹ϐ‹‡”ƒ’’”‘ƒ Šˆ‘” ‡Šƒ ‡•
analysis of the data available at each MANET node. Intrusion the detection rates of the attacks which belong to the rare
detection must be carried out in a distributed fashion ƒ–‡‰‘”›Ǥ Š‡ ’”‘’‘•‡† –‡ Š‹“—‡ ϐ‹”•– •‡’ƒ”ƒ–‡• ‘—– –Š‡
rare intrusions from non rare intrusion category so that
„‡ ƒ—•‡‘ˆ–Š‡ƒ„•‡ ‡‘ˆϐ‹š‡†–‘’‘Ž‘‰›ƒ†‹ˆ”ƒ•–”— –—”‡Ǥ each expert can focus on fewer categories. However this
‘‡‹–”—•‹‘†‡–‡ –‹‘•›•–‡•ƒ”‡„ƒ•‡†‘ Žƒ••ϐ‹ ƒ–‹‘ ‡–Š‘††‘‡•‘–ƒ —”ƒ–‡Ž›‹†‡–‹ϐ‹‡•ƒ‘ƒŽ›‹–”—•‹‘•Ǥ
techniques and some are based on clustering (Al- Jarrah
et al., 2016). Yi-anHuang,Wenke Lee worked on cluster based intrusion
detection. They extended their previous work on cross-
In this paper we describe our cluster based intrusion feature analysis. Our proposed work is based on their model
detection scheme with a mobile agent. The rest of the “cooperative intrusion detection for ad hoc networks”
paper is organized as follows. Section 2 presents a review (Huang et al.,). The authors also described detection
of related work. Section 3 describes about clustering and schemes such as Local Feature Set Scheme (LFS) and
mobile agents. Section 4 presents our proposed work. Clusterhead -Assisted Local Feature Set Scheme (CLFSS).
Their method involves election of a cluster head based on
cluster formation protocols. However if the node being

elected happens to be a compromised node, it can launch
Barbara, Couto, Jajodia, &Wu proposed Audit Data attacks without being detected. Since it is the only node that
Analysis and Mining (ADAM) (Khor et al., 2012). Audit should run IDS, which is already disabled.

14
 Enhanced Cooperative Tamper Evident Agent Based Anomaly

(Krugel et al., 2002) proposed SPARTA which builds IDS  Ž—•–‡” ‹• †‡ϐ‹‡† ƒ• ‰”‘—’ ‘ˆ ‘†‡• –Šƒ– ƒ”‡ Ž‘•‡ –‘
„ƒ•‡†‘‘„‹Ž‡ƒ‰‡–•Ǥ –ƒŽ•‘ˆ‡ƒ–—”‡•ƒ‡˜‡–†‡ϐ‹‹–‹‘ each other. The condition for closeness is that a node in the
language(EDL), which describes multiple-step correlated cluster, the cluster head should access all other members in
ƒ––ƒ •ˆ”‘ƒ‹–”—•‹‘•’‡ ‹ϐ‹ ƒ–‹‘†ƒ–ƒ„ƒ•‡ǤŠ‘™‡˜‡” ‹–• ‘‡ Š‘’ ˜‹ ‹‹–›Ǥ Š‡ •‹œ‡ ‘ˆ ƒ Ž—•–‡” ‹• †‡ϐ‹‡† ƒ• –Š‡
–Š‡”‡ ‹• ‘ — Š †‡–ƒ‹Ž• ‘ Š‘™ –Š‡•‡ •’‡ ‹ϐ‹ ƒ–‹‘• ƒ”‡ number of nodes within the cluster and is denoted as Sc.
generated and used for well known routing attacks. The selection of cluster head should be fair and secure.
Every node should have a chance to serve as cluster head
Uma R. Salunkhe and suresh N. Mali aimed to enhance
(fairness).
detection rate of intrusion detection system by proposing
Dz‡ —”‹–›”‹ Š‡–—•‹‰Žƒ••‹ϐ‹‡”•‡„Ž‡DzȋƒŽ—Š‡ The fair election implies randomness in election decision.
ƒ†ƒŽ‹ʹͲͳ͹ȌǤŠ‡›’”‘’‘•‡†ƒŽƒ••‹ϐ‹‡”‡•‡„Ž‡ǡ™Š‹ Š Every node should have equal service time. There are
combines the opinions of different experts and improve the several techniques to guarantee the fairness and security.
intrusion detection rate. The election function is designed in such a way that the
output must have a uniform distribution within the cluster
(L. Buttyan and J.L. Boudec 2002) suggests the use of tamper-
ranging from 0 to Sc-1(total number of nodes in the cluster).
resistant hardware on each node to encourage cooperation.
Each node igenerates a random number Zito the input.
In their work nodes are assumed to be unwilling to forward
Then a common election function is invoked by all nodes to
the packets, unless it is stimulated.In this approach, a
compute an integer from 0 to Sc-1 from a total of Sc. The
secured credit counter runson the tamper-resistant device. selection function is an XOR operation. One property of XOR
It increases by one whena packet is forwarded. It refuses operation is that as long as one input is random the output
to send its own packets if the counter is smaller than a is also random. The following assumptions are made in the
threshold n. Public key MANET environment.
technology is used to exchange credit counter information • In a cluster each node is assigned a unique ID.
• All links are bidirectional.
among neighbors and verify if forwarding is really successful.
• Neighbors’ information is always available.
The proposed scheme has some strong assumptions, • Peer to peer connectivity
includingtamper-resistant hardware and public key • ˜‡”› ‘†‡ ƒ ‘˜‡”Š‡ƒ” –Š‡ –”ƒˆϐ‹  ™‹–Š‹ ‹–•
technology, whichmay not be widely available in MANET. transmission range
At the beginning stage all the nodes themselves treated as
single node clusters. At this stage there is no cluster head.
     Each node can do intrusion detection themselves by running
the IDS in it. Later a cluster is formed based on proximity
The proposed work is based on clustering the nodes in the and the number of nodes within the cluster. A cluster head is
MANET and selecting a cluster head. In order to avoid the selected within the cluster. Fig. 2 shows clustering.
selected cluster head to be compromised, the mobile agents
are used.

   

Most of the IDS for a MANET assumes that each node as
a monitoring node that is executing some IDS models.
‘™‡˜‡”†—‡–‘–Š‡Ž‹‹–‡†„ƒ––‡”›’‘™‡”‹–‹•‘–‡ˆϐ‹ ‹‡–
that each MANET node should act as monitoring node.
Instead a cluster of neighboring MANET nodes can be
randomly and fairly elect a monitoring node which is known
as cluster head (Huang et al.,) for the entire neighborhood.
The nodes within the cluster cooperate with each other in
anomaly detection. Fig. 2: Cluster Formation with Cluster Head

15
 Sreenivsulu and Reddy

    be even changed at run-time by creating new agents and
agentswhich move from one machine to anotherone, as and
‘„‹Ž‡ ƒ‰‡–• ƒ”‡ †‡ϐ‹‡† ƒ• ƒ—–‘‘‘—• ‡š‡ —–‹‰ when required.
programs that can halt themselves, migrate to another host,
in a heterogeneous environment, and continue execution The following Fig. shows a wireless network with 50 nodes
without being affected by the status of the originating node. with a mobile agent which was simulated in ns2.
While moving from one node to another node, mobile agents
interact with stationary service agents, collect information
and execute to accomplish their tasks (Chpudhury 2000).
A software mobile agent can carry out activities from one
‘†‡–‘ƒ‘–Š‡”‹ƒϐŽ‡š‹„Ž‡ƒ†‹–‡ŽŽ‹‰‡–™ƒ›ƒ•ƒ”‡•’‘•‡
to the new changes in the network. This gives the agents the
ability to communicate with one another, learn from their
experience, and cooperate with each other (Dasgupta 2001).

In the proposed work Agents are deployed in each node of

the cluster even before election process takes place. There
are several types of Agents may be used in Ad hoc networks.
We address some of them in this paper.

Network Monitoring Agents: Very few nodes in the cluster Fig. 3: MANET with Mobile Agent
will be deployed with the agent for monitoring the network
packets. These agents are responsible for collecting the 
network related parameters necessary for IDS.
Our proposed work is an enhancement to Yi-an Huang
Host Monitoring Agents: Every node on the ad hoc network is and WenkeLee. The authors didn’t provide a solution if the
monitored internally by a host monitoring agent. It monitors cluster head node is already tampered. First we describe
system level and application level activities. cluster formation and the role of Mobile Agents in intrusion
Decision Making Agents: Every node makes decisions detection. In this paper we proposed an algorithm which
regarding intrusions based on individual threshold threat selects a cluster head based on tamper evident mobile agent.
level assigned. In our model initially each node in the network is deployed
Communication Agents: This agent is built as part of both the with an agent. Each agent has a unique ID assigned to it.
host and network ids. Whenever a roaming/mobileagent Each forwarding node appends its ID and n-bit message
visits any node, communication agent reads information authentication code (MAC) to the message. If the length of
from the mobile agent and if found to be a new attack rule, it Dzdz‹•Žƒ”‰‡ǡ–Š‡‹– ”‡ƒ–‡•‘”‡–”ƒˆϐ‹ ‹–Š‡‡–™‘”Ǥ ˆ–Š‡
will be added to the attack database by the database agent. length of “n” is small, a malicious node may generate correct
Alert Agents: On detection of any new attack or suspicious MAC. For this reason “n” should be moderate. However some
event, any node can issue an alert. After issuing the alert and statistical procedures may be used for a length of 1 bit and
‘–‹ϐ‹‡•–‘‘–Š‡”‘†‡•ǡ–Š‡ƒ––ƒ †ƒ–ƒ„ƒ•‡‹•—’†ƒ–‡†ǤŽ‡”– ensures that malicious node fails in generating correct MAC.
agents uses learning module for this purpose. In the next stage we form a cluster and elect the cluster head.
Mobile Agents are developed using different frame works In a cluster based IDS we need to guarantee that the IDS
such as mobile agent framework like Aglets, Voyager, cannot be compromised. At least attacks against the IDS can
JADE, TACOMA, Grasshopper, SPRINGS, Tryllian’s Agent be detected. If a compromised node happens to be a cluster
Development Kit, and Zeus (Bayer and Reich 2017). In this head, it can launch attacks without being detected. For this
work we used JADE (Java Agent Development Framework). purpose each node in the cluster is deployed with the above
JADE is a software framework totally implemented in Java. said agents. At the time of election,the agents detect the
– •‹’Ž‹ϐ‹‡• –Š‡ ‹’Ž‡‡–ƒ–‹‘ ‘ˆ —Ž–‹Ǧƒ‰‡– •›•–‡•Ǥ compromised node and that node is not considered for
The agent platform can be distributed across machines cluster and packets are not forwarded to that node and an
™‹–Š †‹ˆˆ‡”‡– ‘’‡”ƒ–‹‰ •›•–‡•Ǥ Š‡ ‘ϐ‹‰—”ƒ–‹‘ ƒ alert is raised.

16
 Enhanced Cooperative Tamper Evident Agent Based Anomaly

The procedure for selection of cluster head is as follows: RESULTS

1. Initialize Agents INIT_AGENT() The simulation is done on ns2 and JADE with a sample of 50
2. Generate a Random integer -Zi nodes. The experiments are carried for nodes with different
3. Broad cast a message regarding election density and movement. Mobile Agents are developed using
4. START_ELECTION (id, HASH (IDi, Zi). java. At the time of Election, a function call is made in each
5. Set a timer T. of the node where this java program resides. The total CPU
6. If message is not received from any node within T usage is reduced when compared per node basis. We tested
then the node is excluded from cluster. for two types of attacks
7. After receiving hash value from a node j verify
its hash value matches the value in the START_ Blackhole Attack and 2) Random Packet Dropping.
ELECTION. Store Zjlocally.
8. If all Zjfrom cluster have arrived, compute H=SEL Table 1: Experimental Results for Two Type of Attacks
(Z0 ,Z1,Z2…Zsc-1) . Where SEL is the selection function. Intrusion DTR PDR MCR FAR
Determine the cluster head H as the h-th node in the
Intrusion 1 85% 5% 0% 1%
cluster since all the IDs are ordered.
Intrusion 2 95 5% 1% 1%
9. ˆ ⋆‘–Š‡ˆ‘ŽŽ‘™‹‰
a) Send ELECTION_COMP to H. DTR = Detection Rate
b) Wait for ELECTION_REPLY from H, and then
PDR = Partial Detection Rate
enter DONE state.
10. // Now we pass the newly elected cluster head ID to α‹• Žƒ••‹ϐ‹‡†‡–‡ –‹‘ƒ–‡
the DETECT_TAMPER. The DETECT_TAMPERchecks
FAR = False Alarm Rate.
whether the cluster head elected is tampered or not.
11. DETECT_TAMPER (H, ID,K) // K is the bit number Ta DTR is the percentage of attacks that are detected correctly
= AGENT_HASH(H,K) If the value of Ta>= Threshold by the model. Partial detection rate denotes the percentage
then Reject H and start from step 2 ELSE perform of attacks of unknown types.Normal behaviors of nodes
the following which are marked as abnormal are denoted by MCR.
12. Cluster head H performs the following
(a). Set a Timer T2.
(b). On receiving ELECTION _DONE, verify it is from
 
the cluster. In this paper we discussed anomaly intrusion detection
(c). (c) If T2 is time out, nodes from which System in MANET environment and how clustering is used
ELECTION_DONE has not been received are in selection of a cluster head which acts as a coordinator
Excluded from cluster for both inter cluster and intra cluster communication.
We further discussed how to handle if the cluster head, itself
Broadcast ELECTION_REPLY to the cluster and enter DONE is compromised making the IDS to fail. We proposed the use
state. of mobile agents while forming the cluster. We tested the
system for two type of attacks only and need to test for other
type of attacks also.

REFERENCES
Vijayarani S, Sylviaa M (2015) Intrusion Detection System-A
Study. International Journal of Security, Privacy and Trust
Management (IJSPTM) Vol 4, No 1.
Deng H, Li W, Agarwal D (2002) Routing Security in Wireless Ad hoc
Networks. IEEE Comm. Magazine 40: 70-75.
Buczak AL, Guven E (2016) A survey of data mining and machine
learning methods for cyber security intrusion detection.
IEEE Communications Surveys and Tutorials 18: 1153–1176.
Fig. 4: Tampered CH Detection using Agents.

17
 Sreenivsulu and Reddy

Al- Jarrah OY, Alhussein O, Yoo PD, Muhaidat S, Taha K, Kim K (2016) Dasgupta D, Brian H (2001) Mobile Security Agents for Network
Data randomization and cluster-based partitioning for ”ƒˆϐ‹  ƒŽ›•‹•Ǥ ”‘ ‡‡†‹‰• ‘ˆ  ˆ‘”ƒ–‹‘
botnet Intrusion detection. IEEE Transactions on Cybernetics Survivability Conference and Exposition II (DISCEX-II), IEEE
46:1796–1806. Computer Society Press.
Barbar´a D, Julia Couto Sushil Jajodia Leonard Popyack Ningning Bayer T, Reich C (2017) University of Applied Science Furtwangen,
Wu (2001) ADAM: Detecting Intrusions by Data Mining. Germany Security of Mobile Agents in Distributed Java
Proceedings of the 2001 IEEE Workshop on Information Agent Development Framework (JADE) Platforms ICONS
Assurance and Security T1A3 1100 United States Military 2017:TheTwelfth International Conference on Systems.
Academy, West Point, NY, Huang Y, Fan W, Lee W, Yu P (2003) Cross-feature analysis for
Khor KC, Ting CY, Phon-Amnuaisuk S (2012) A cascaded detecting ad-hoc routing anomalies. InProceedings of the
Žƒ••‹ϐ‹‡” ƒ’’”‘ƒ Š ˆ‘” ‹’”‘˜‹‰ †‡–‡ –‹‘ ”ƒ–‡• ‘ ”ƒ”‡
23rd International Conference on Distributed Computing
attack Categories in network intrusion detection. Applied
Systems, Providence, RI.
Intelligence 36:320–329.
Gupta M, Shrivastava SK (2015) Intrusion Detection System based
Huang Y, Fan W, Lee W, Yu PS (2003) A co-operative intrusion
on SVM and Bee Colony. International Journal of Computer
detection system for ad hoc net works SASN03. Proceedings
of the 1st ACM workshop on Security of ad hoc and sensor Applications 111:0975 – 8887.
networks pp. 135-147. kumar S, Dutta K (2016) Intrusion Detection in mobile ad hoc
Krugel C, Toth T (2002) Flexible Mobile agent based intrsuion networks: techniques, systems and future challenges.
detection for dynamic networks. In European Wireless. Security and communication Networks.
Salunkhe UR, Mali SN (2017) Security Erichment in Intrusion Kim G, Lee S, Kim S (2014) A novel hybrid intrusion detection
‡–‡ –‹‘›•–‡•‹‰Žƒ••‹ϐ‹‡”•‡„Ž‡Ǥ ‹†ƒ™‹ ‘—”ƒŽ method integrating anomaly detection with misuse detection.
of Electrical and Computer Engineering. Expert Syst. Appl, 41:1690–1700.
Buttyan L, Hubaux JP (2002) Stimulating cooperationin self- Mazini M, Shirazi B, Mahdavi I (2018) Anomaly network-based
organizing mobile ad hoc networks. ACM Journal for Mobile ‹–”—•‹‘ †‡–‡ –‹‘ •›•–‡ —•‹‰ ƒ ”‡Ž‹ƒ„Ž‡ Š›„”‹† ƒ”–‹ϐ‹ ‹ƒŽ
Networks (MONET), special issue on Mobile Ad Hoc Network. bee colony and AdaBoost algorithms. Journal of King Saud
Chpudhury R, Bandyopadhyay S., Paul K. (200) A distributed University – Computer and Information Sciences.
mechanism for topology discovery in ad hoc wireless
networks using mobile agents. IEEE Mobile and Ad Hoc
Networking and Computing, MobiHOC pp. 145-146.

18