Cross-layer analysis for detecting wireless misbehavior

Abstract

Intrusion Detections Systems(IDSs) in ad hoc net- works monitor other devices for intentional deviation from protocol, i.e., misbehavior. This process is complicated due to limited radio range and mobility of nodes. Unlike conventional IDSs, it is not possible to monitor nodes for long durations. As a result IDSs suffer from a large number of false positives. Moreover other environmental conditions like radio interference and congestion increase false positives, complicating classification of legitimate nodes and attackers. We present a scheme that helps in accurate diagnosis of malicious attacks in ad hoc networks. Our scheme employs cross- layer interactions based on observations at various networking layers to decrease the number of false positives. Our simulations show that our scheme is more effective and accurate than those based on isolated observations from any single layer. I. INTRODUCTION Mobile ad hoc networks (MANETs) are comprised of a dy- namic set of cooperating peers, which share their wireless ca- pabilities with other similar devices to enable communication with devices not in direct radio-range of each other, effectively relaying messages on behalf of others. Conventional methods of identification and authentication are not available, since the availability of a Certificate Authority (CA) or a Key Distribu- tion Centre (KDC) cannot be assumed. Consequently, mobile device identities or their intentions cannot be predetermined or verified. Communication protocols are though designed for fairness in contention resolution provide no enforcement mechanism to ensure it. Protocols are fair to the extent to which the de- vices conform to the protocol specifications. Wireless Medium Access Control(MAC) Protocols like 802.11 that employ dis- tributed contention resolution for gaining access to the shared wireless channel are susceptible to attack from selfish nodes trying to gain an unfair share of the medium. The various networking layers from the lowest physical layer to the application layer were designed for with the tacit assumption that devices comprising the network will be protocol conformant. Herein lie several security threats, some arising from short- comings in the protocols, and others from the lack of con- ventional identification and authentication mechanisms. These inherent properties of ad hoc networks make them vulnerable, and malicious nodes can exploit these vulnerabilities in the networking layers for selfish or even malicious motives. Selfish nodes can slightly deviate from the MAC protocol specifi- cation for contention resolution in order to gain an unfairly large share of the bandwidth. More harmful attacks like packet dropping, routing disruption, jamming attacks or other forms of Denial-of-Service (DOS) at any of the networking layers can severely disrupt MANET communications. Traditionally, intrusion detection involves looking at events and activities in individual layers of the modeled OSI stack. Various pattern matches at the Transport layer, for example, can indicate SYN attacks. However, sophisticated attacks that simultaneously exploit vulnerabilities at multiple layers of the communication proto- cols will be especially hard to detect. By using observations of both external and internal events at multiple layers of the OSI our approach will be to use observations both external and internal from various layers of the OSI stack for a more accurate evaluation of bad nodes and good nodes. In this paper we show the results of looking specifically at malicious RTS activity in the 802.11 MAC layer when combined with packet dropping at the Network layer. Robust IDS and response systems will depend on accurate classification of attacks and identification of attackers. In order for devices to establish and maintain trust relations - and evolve reputations, there is a need to balance the intrusion de- tection effort with the individual node's primary function. The goal is to maximize the probability that malicious behavior will be correctly detected (True Positives), while minimizing the probability that good nodes will be falsely accused (False Positives).