anomaly detection in manet

7/28/2019 ANOMALY DETECTION IN MANET

1/26

ANOMALY DETECTION IN MANET NOVEMBER 2011

Page 1

ANOMALY DETECTION IN MANET

A seminar report submitted in partial fulfillment of the degree of:

MASTER OF TECHNOLOGY

IN

WIRELESS NETWORKS AND APPLICATIONS

Submitted by

ANU T A

DEEPA MARIA

DIVYA M KAIMAL

RAGI GR

SRUTHY ANAND

AMRITA CENTER FOR WIRELESS NETWORKS & APPLICATIONS

AMRITA VISHWA VIDYAPEETHAM (AMRITA UNIVERSITY)(Estd. U/S 3 of the UGC Act 1956) Amritapuri Campus

Kollam -690525

November 2011


2/26


Page 2

AMRITA CENTER FOR WIRELESS NETWORKS & APPLICATIONSAMRITA VISHWA VIDYAPEETHAM UNIVERSITY

(Est d. U /S 3 of the UGC Act 1956) AMRITAPURI

BONAFIED CERTIFICATE

This is to certify that the project report entitled ANOMALY DETECTION INMANET has been su bm it te d by Anu T A(P2WNA10003), DeepaMaria(P2WNA10007), Divya M Kaimal (P2WNA10008), Ragi G R (P2WNA10014) and Sruthy Anand( P2WNA10020), in partial fulfillment of thedegree of Master of Technology in Amrita Center for Wireless Networks &Applications, Amrita Vishwa Vidyapeetham (AMRITA University), is a bonafied recordof the work carried out by them at Amrita School of Engineering, Amritapuri,during Semester 3 of the academic year 2011-2012.

Teaching Assistant Faculty in ChargeMs Rekha Manoj Dr. Radhika N

Place: AmritapuriDate: 22/11/2011


3/26


4/26


Page 4

ABSTRACT

In this project, we have simulated the wormhole attack, a powerful attack that can have

serious consequences on many proposed ad hoc network routing protocols. Wormhole refers

to an attack on MANET routing protocols in which colluding nodes create an illusion that

two remote regions of a MANET are directly connected through nodes that appear to be

neighbors but are actually distant from one another. Based on results collected from a

QualNet simulation, we evaluate the likelihood of such an attack. A mobile ad-hoc network

(MANET) is a self-configuring infrastructure less network of mobile devices connected by

wireless links. Each device in a MANET is free to move independently in any direction, and

will therefore change its links to other devices frequently. Each must forward traffic unrelated

to its own use, and therefore be a router. The primary challenge in building a MANET is

equipping each device to continuously maintain the information required to properly route

traffic. Such networks may operate by themselves or may be connected to the larger Internet.

MANETs are a kind of wireless ad-hoc networks that usually has a routable networking

environment on top of a Link Layer ad hoc network.
http://en.wikipedia.org/wiki/Computer_networkhttp://en.wikipedia.org/wiki/Wirelesshttp://en.wikipedia.org/wiki/Router_%28computing%29http://en.wikipedia.org/wiki/Internethttp://en.wikipedia.org/wiki/Wireless_ad_hoc_networkshttp://en.wikipedia.org/wiki/Link_Layerhttp://en.wikipedia.org/wiki/Link_Layerhttp://en.wikipedia.org/wiki/Wireless_ad_hoc_networkshttp://en.wikipedia.org/wiki/Internethttp://en.wikipedia.org/wiki/Router_%28computing%29http://en.wikipedia.org/wiki/Wirelesshttp://en.wikipedia.org/wiki/Computer_network


5/26


6/26


Page 6

CHAPTER 1Introduction

Wireless Sensor Networks (WSNs) are rapidly emerging as a new field of research. WSNs

are built with a large number of tiny and inexpensive sensor nodes that are equipped with

low-bandwidth radios. In a Mobile Ad Hoc Network (MANET), each node serves as a router

for other nodes which allows data to travel by utilizing multi hop network paths without

relying on wired infrastructure. Unlike wired networks where the physical wires prevent an

attacker from compromising the security challenges especially for military applications,

emergency rescue operations, and short-lived conference or classroom activities. Security of

such network is a major concern [3]. The open nature of the wireless medium makes it easy

for outsiders to listen to network traffic or interfere with it. These factors make sensor networks potentially vulnerable to several different types of malicious attacks. These

malicious nodes can carry out both Passive and Active attacks against the network. In passive

attacks a malicious node only eavesdrop upon packet contents, while in active attacks it may

imitate, drop or modify legitimate packets[1]. A typical example of particularly devastating

security active attack is known as a wormhole attack. In which, a malicious node captures

packets from one location in the network, and tunnels them to another malicious node at a

distant point, which replays them locally. The wormhole attack can affect network routing,data aggregation and clustering protocols, and location-based wireless security systems.

Finally, the wormhole attack can be launched even without having access to any

cryptographic keys or compromising any legitimate node in the network.

Fig.1. A network under a wormhole attack.


7/26


Page 7

1.1 Significance of Wormhole Attack And Background

A wormhole attack is a particularly severe attack on MANET routing where two attackers

connected by a high speed off-channel link called the wormhole link. The wormhole link can

be established by using a network cable and any form of wired link technology or a long -

range wireless transmission in a different band. The end-point of this link (wormhole nodes)

is equipped with radio transceivers compatible with the ad hoc or sensor network to be

attacked. Once the wormhole link is established, the adversary record the wireless data they

overhear, forward it to each other, and replays the packets through the wormhole link at the

other end of the network. Replaying valid network messages at improper places, wormhole

attackers can make far apart nodes believe they are immediate neighbors, and force all

communications between affected nodes to go though them.

Compared to jamming, wormhole attack is more covert in nature and harder to detect. The

term wormhole refers to an adversary carrying information and traveling faster than anyone

else, thus the adversary is capable of launching unusual timing attacks. While physical

wormholes do not exist, communication wormholes do exist, because adversaries can

forward packets faster than regular nodes that require a queuing delay, transmission delay,

and MAC contention delay. Transparent Mode as external adversary: Wormhole devices are not regular network

members. However, to make wormhole attack work, the adversary must be able to

intercept legitimate wireless messages (assuming the wormhole attackers can thwart low-

probability-interception mechanisms). Messages are covertly intercepted at one location

and replayed at other locations while regular network members do not know the existence

of wormhole devices. In other words, the existence of the wormhole devices is transparent

to regular network nodes. A corresponding implementation uses layer-1 devices in thevictim network and layer-2 devices in the attacking network to implement the wormhole

devices.

Participant Mode as internal adversary: Wormhole devices are regular network members.

They are compromised nodes with legitimate network addresses like IP addresses and

MAC addresses. A corresponding implementation uses layer-3 devices to implement the

wormhole devices. Because wormholes working in the transparent mode already

significantly thwart victim network's routing functions, the participant mode is currently


8/26


9/26


Page 9

Omitted Features Tunneling MAC in other forms

Replay MAC in other forms

Traffic analysis

Assumptions and Limitations Wormhole nodes can monitor victim nodes' RF signals and intercept victim's

packets.


10/26


11/26


Page 11


12/26


Page 12

CHAPTER 3

Simulation Setup

3.1 Setting Scenario And FTP Properties

The simulations are designed in the QualNet simulation platform. The network size or terrain

settings is set as 1500*1500 meters and in FTP General properties packet size is set as 512.


13/26


Page 13

3.2 Configuring Wormhole Parameters

To configure the Wormhole parameters, perform the following steps:

1. Go to one of the following locations:

To set properties at subnet level, go to the Wireless Subnet Properties Editor >

MAC Layer .

To set properties at interface level, go to one of the following locations:

In this section, we show how to configure the general Wormhole parameters in the Wireless

Subnet Properties editor. Parameters can be set in the other properties editors in a similar

way.

1. Go to one of the following locations: - Interface Properties Editor > Interfaces >Interface # > MAC Layer or - Default Device Properties Editor > Interfaces > Interface

# > MAC Layer .

2. Set MAC Protocol to Wormhole and set the dependent parameters listed in Table 2.


14/26


Page 14

Setting Parameters

To enable the THRESHOLD mode, set Wormhole Operation Mode to Threshold

To enable the ALLPASS mode, set Wormhole Operation Mode to All Pass

To enable the ALLDROP mode, set Wormhole Operation Mode to All Drop.

3. If Wormhole Operation Mode is set to Threshold,

3.3 Statistics and Output

Table lists the statistics collected for the Wormhole that are output to the statistics (.stat) file

at the end of simulation.


15/26


Page 15

CHAPTER 4

Wormhole Sample Scenario

4.1 Scenario Description

In the sample scenario shown in Figure nodes 1 and 3 are connected to a wireless subnet.

Nodes 5 and 6 are connected through another wireless subnet. Nodes 2 and 4 are wormhole

nodes connected to a subnet. Wormhole is enabled on the subnet.

4.1.1 Wormhole All Drop

PURPOSE :-To test the case when the wormhole drops ALL packets including both control

packets and data packets.

SCENARIO :-Totally 6 nodes in the scenario. Node 2 and 4 are wormhole terminals in theadversarial wireless subnet.


16/26


Page 16


17/26


Page 17

In case of Wormhole nodes 2 and 4 the different parameters observed are given below:

Node 2 Node 4Frames intercepted all 442 404

Frames dropped bywormhole 283 305

Frames tunneled 283 305

Frames replayed 0 0Frames dropped byqueue

0 0

Table1: Different parameters observed for Wormhole All Drop

4.1.2 Wormhole All Pass:

PURPOSE :-To test the case when the wormhole passes ALL packets including both control packets and data packets.


Wormhole All Pass


18/26


Page 18


Node 2 Node 4Frames intercepted all 1833 1811Frames dropped bywormhole

0 0


Frames replayed 1122 1125Frames dropped byqueue

0 0

Table2: Different parameters observed for Wormhole All Pass


19/26


20/26


Page 20


Node 2 Node 4

Frames intercepted all 35212531

Frames dropped bywormhole

739 0


Frames replayed 2522 2756

Frames dropped byqueue

0 0

Table3: Different parameters observed for Wormhole propagation delays

4.1.4 Wormhole Replay

PURPOSE :-To test the wormhole replay function with all packets going through thewormhole link.


Wormhole Replay


21/26


Page 21



0 0




0 0

Table4: Different parameters observed for Wormhole propagation delays5. Wormhole Threshold

PURPOSE :-To test the wormhole tunneling function with a user-defined threshold value (72 bytes in this case).



22/26


Page 22

Wormhole Threshold


23/26


Page 23


Node 2 Node 4Frames intercepted all 111 15

Frames dropped bywormhole 12 0




0 0

Table 5: Different parameters observed for Wormhole threshold

4.1.6 Wormhole Tunnelling

PURPOSE :-To test the wormhole tunneling function with all packets tunneled through thewormhole link.


Wormhole Tunnelling


24/26


Page 24



0 0




0 0

Table6: Different parameters observed for Wormhole Tunneling


25/26


Page 25

CHAPTER 5

Conclusion

In this project we have studied the wormhole attack, which is a powerful attack that can haveserious consequences on many proposed ad hoc network routing protocols. In this work wesimulated the wormhole attack considering various scenarios using QualNet and studied the

performance of the adhoc network in terms of different parameters.


26/26


REFERENCES

[1] Yih-Chun Hu, Adrian Perring and David B. Johnson, Wormhole Attacks in Wireless

Networks

[2] Khin Sandar Win, Pathein Gyi, Analysis of Detecting Wormhole Attack in Wireless Networks

[3] QualNet-5.0.2-UsersGuide.pdf

[4] T.V.P.Sundararajan, Dr. A.Shanmugam, Behavior Based Anomaly Detection Techniqueto Mitigate the Routing Misbehavior in MANET.

[5] N. Song, L. Qian, X. Li, Wormhole Attack Detection in Wireless Ad Hoc Networks: aStatistical Analysis Approach, Parallel and Distributed Processing

anomaly detection in manet

Documents