anomaly detection in manet
TRANSCRIPT
-
7/28/2019 ANOMALY DETECTION IN MANET
1/26
ANOMALY DETECTION IN MANET NOVEMBER 2011
Page 1
ANOMALY DETECTION IN MANET
A seminar report submitted in partial fulfillment of the degree of:
MASTER OF TECHNOLOGY
IN
WIRELESS NETWORKS AND APPLICATIONS
Submitted by
ANU T A
DEEPA MARIA
DIVYA M KAIMAL
RAGI GR
SRUTHY ANAND
AMRITA CENTER FOR WIRELESS NETWORKS & APPLICATIONS
AMRITA VISHWA VIDYAPEETHAM (AMRITA UNIVERSITY)(Estd. U/S 3 of the UGC Act 1956) Amritapuri Campus
Kollam -690525
November 2011
-
7/28/2019 ANOMALY DETECTION IN MANET
2/26
ANOMALY DETECTION IN MANET NOVEMBER 2011
Page 2
AMRITA CENTER FOR WIRELESS NETWORKS & APPLICATIONSAMRITA VISHWA VIDYAPEETHAM UNIVERSITY
(Est d. U /S 3 of the UGC Act 1956) AMRITAPURI
BONAFIED CERTIFICATE
This is to certify that the project report entitled ANOMALY DETECTION INMANET has been su bm it te d by Anu T A(P2WNA10003), DeepaMaria(P2WNA10007), Divya M Kaimal (P2WNA10008), Ragi G R (P2WNA10014) and Sruthy Anand( P2WNA10020), in partial fulfillment of thedegree of Master of Technology in Amrita Center for Wireless Networks &Applications, Amrita Vishwa Vidyapeetham (AMRITA University), is a bonafied recordof the work carried out by them at Amrita School of Engineering, Amritapuri,during Semester 3 of the academic year 2011-2012.
Teaching Assistant Faculty in ChargeMs Rekha Manoj Dr. Radhika N
Place: AmritapuriDate: 22/11/2011
-
7/28/2019 ANOMALY DETECTION IN MANET
3/26
-
7/28/2019 ANOMALY DETECTION IN MANET
4/26
ANOMALY DETECTION IN MANET NOVEMBER 2011
Page 4
ABSTRACT
In this project, we have simulated the wormhole attack, a powerful attack that can have
serious consequences on many proposed ad hoc network routing protocols. Wormhole refers
to an attack on MANET routing protocols in which colluding nodes create an illusion that
two remote regions of a MANET are directly connected through nodes that appear to be
neighbors but are actually distant from one another. Based on results collected from a
QualNet simulation, we evaluate the likelihood of such an attack. A mobile ad-hoc network
(MANET) is a self-configuring infrastructure less network of mobile devices connected by
wireless links. Each device in a MANET is free to move independently in any direction, and
will therefore change its links to other devices frequently. Each must forward traffic unrelated
to its own use, and therefore be a router. The primary challenge in building a MANET is
equipping each device to continuously maintain the information required to properly route
traffic. Such networks may operate by themselves or may be connected to the larger Internet.
MANETs are a kind of wireless ad-hoc networks that usually has a routable networking
environment on top of a Link Layer ad hoc network.
http://en.wikipedia.org/wiki/Computer_networkhttp://en.wikipedia.org/wiki/Wirelesshttp://en.wikipedia.org/wiki/Router_%28computing%29http://en.wikipedia.org/wiki/Internethttp://en.wikipedia.org/wiki/Wireless_ad_hoc_networkshttp://en.wikipedia.org/wiki/Link_Layerhttp://en.wikipedia.org/wiki/Link_Layerhttp://en.wikipedia.org/wiki/Wireless_ad_hoc_networkshttp://en.wikipedia.org/wiki/Internethttp://en.wikipedia.org/wiki/Router_%28computing%29http://en.wikipedia.org/wiki/Wirelesshttp://en.wikipedia.org/wiki/Computer_network -
7/28/2019 ANOMALY DETECTION IN MANET
5/26
-
7/28/2019 ANOMALY DETECTION IN MANET
6/26
ANOMALY DETECTION IN MANET NOVEMBER 2011
Page 6
CHAPTER 1Introduction
Wireless Sensor Networks (WSNs) are rapidly emerging as a new field of research. WSNs
are built with a large number of tiny and inexpensive sensor nodes that are equipped with
low-bandwidth radios. In a Mobile Ad Hoc Network (MANET), each node serves as a router
for other nodes which allows data to travel by utilizing multi hop network paths without
relying on wired infrastructure. Unlike wired networks where the physical wires prevent an
attacker from compromising the security challenges especially for military applications,
emergency rescue operations, and short-lived conference or classroom activities. Security of
such network is a major concern [3]. The open nature of the wireless medium makes it easy
for outsiders to listen to network traffic or interfere with it. These factors make sensor networks potentially vulnerable to several different types of malicious attacks. These
malicious nodes can carry out both Passive and Active attacks against the network. In passive
attacks a malicious node only eavesdrop upon packet contents, while in active attacks it may
imitate, drop or modify legitimate packets[1]. A typical example of particularly devastating
security active attack is known as a wormhole attack. In which, a malicious node captures
packets from one location in the network, and tunnels them to another malicious node at a
distant point, which replays them locally. The wormhole attack can affect network routing,data aggregation and clustering protocols, and location-based wireless security systems.
Finally, the wormhole attack can be launched even without having access to any
cryptographic keys or compromising any legitimate node in the network.
Fig.1. A network under a wormhole attack.
-
7/28/2019 ANOMALY DETECTION IN MANET
7/26
ANOMALY DETECTION IN MANET NOVEMBER 2011
Page 7
1.1 Significance of Wormhole Attack And Background
A wormhole attack is a particularly severe attack on MANET routing where two attackers
connected by a high speed off-channel link called the wormhole link. The wormhole link can
be established by using a network cable and any form of wired link technology or a long -
range wireless transmission in a different band. The end-point of this link (wormhole nodes)
is equipped with radio transceivers compatible with the ad hoc or sensor network to be
attacked. Once the wormhole link is established, the adversary record the wireless data they
overhear, forward it to each other, and replays the packets through the wormhole link at the
other end of the network. Replaying valid network messages at improper places, wormhole
attackers can make far apart nodes believe they are immediate neighbors, and force all
communications between affected nodes to go though them.
Compared to jamming, wormhole attack is more covert in nature and harder to detect. The
term wormhole refers to an adversary carrying information and traveling faster than anyone
else, thus the adversary is capable of launching unusual timing attacks. While physical
wormholes do not exist, communication wormholes do exist, because adversaries can
forward packets faster than regular nodes that require a queuing delay, transmission delay,
and MAC contention delay. Transparent Mode as external adversary: Wormhole devices are not regular network
members. However, to make wormhole attack work, the adversary must be able to
intercept legitimate wireless messages (assuming the wormhole attackers can thwart low-
probability-interception mechanisms). Messages are covertly intercepted at one location
and replayed at other locations while regular network members do not know the existence
of wormhole devices. In other words, the existence of the wormhole devices is transparent
to regular network nodes. A corresponding implementation uses layer-1 devices in thevictim network and layer-2 devices in the attacking network to implement the wormhole
devices.
Participant Mode as internal adversary: Wormhole devices are regular network members.
They are compromised nodes with legitimate network addresses like IP addresses and
MAC addresses. A corresponding implementation uses layer-3 devices to implement the
wormhole devices. Because wormholes working in the transparent mode already
significantly thwart victim network's routing functions, the participant mode is currently
-
7/28/2019 ANOMALY DETECTION IN MANET
8/26
-
7/28/2019 ANOMALY DETECTION IN MANET
9/26
ANOMALY DETECTION IN MANET NOVEMBER 2011
Page 9
Omitted Features Tunneling MAC in other forms
Replay MAC in other forms
Traffic analysis
Assumptions and Limitations Wormhole nodes can monitor victim nodes' RF signals and intercept victim's
packets.
-
7/28/2019 ANOMALY DETECTION IN MANET
10/26
-
7/28/2019 ANOMALY DETECTION IN MANET
11/26
ANOMALY DETECTION IN MANET NOVEMBER 2011
Page 11
-
7/28/2019 ANOMALY DETECTION IN MANET
12/26
ANOMALY DETECTION IN MANET NOVEMBER 2011
Page 12
CHAPTER 3
Simulation Setup
3.1 Setting Scenario And FTP Properties
The simulations are designed in the QualNet simulation platform. The network size or terrain
settings is set as 1500*1500 meters and in FTP General properties packet size is set as 512.
-
7/28/2019 ANOMALY DETECTION IN MANET
13/26
ANOMALY DETECTION IN MANET NOVEMBER 2011
Page 13
3.2 Configuring Wormhole Parameters
To configure the Wormhole parameters, perform the following steps:
1. Go to one of the following locations:
To set properties at subnet level, go to the Wireless Subnet Properties Editor >
MAC Layer .
To set properties at interface level, go to one of the following locations:
In this section, we show how to configure the general Wormhole parameters in the Wireless
Subnet Properties editor. Parameters can be set in the other properties editors in a similar
way.
1. Go to one of the following locations: - Interface Properties Editor > Interfaces >Interface # > MAC Layer or - Default Device Properties Editor > Interfaces > Interface
# > MAC Layer .
2. Set MAC Protocol to Wormhole and set the dependent parameters listed in Table 2.
-
7/28/2019 ANOMALY DETECTION IN MANET
14/26
ANOMALY DETECTION IN MANET NOVEMBER 2011
Page 14
Setting Parameters
To enable the THRESHOLD mode, set Wormhole Operation Mode to Threshold
To enable the ALLPASS mode, set Wormhole Operation Mode to All Pass
To enable the ALLDROP mode, set Wormhole Operation Mode to All Drop.
3. If Wormhole Operation Mode is set to Threshold,
3.3 Statistics and Output
Table lists the statistics collected for the Wormhole that are output to the statistics (.stat) file
at the end of simulation.
-
7/28/2019 ANOMALY DETECTION IN MANET
15/26
ANOMALY DETECTION IN MANET NOVEMBER 2011
Page 15
CHAPTER 4
Wormhole Sample Scenario
4.1 Scenario Description
In the sample scenario shown in Figure nodes 1 and 3 are connected to a wireless subnet.
Nodes 5 and 6 are connected through another wireless subnet. Nodes 2 and 4 are wormhole
nodes connected to a subnet. Wormhole is enabled on the subnet.
4.1.1 Wormhole All Drop
PURPOSE :-To test the case when the wormhole drops ALL packets including both control
packets and data packets.
SCENARIO :-Totally 6 nodes in the scenario. Node 2 and 4 are wormhole terminals in theadversarial wireless subnet.
-
7/28/2019 ANOMALY DETECTION IN MANET
16/26
ANOMALY DETECTION IN MANET NOVEMBER 2011
Page 16
-
7/28/2019 ANOMALY DETECTION IN MANET
17/26
ANOMALY DETECTION IN MANET NOVEMBER 2011
Page 17
In case of Wormhole nodes 2 and 4 the different parameters observed are given below:
Node 2 Node 4Frames intercepted all 442 404
Frames dropped bywormhole 283 305
Frames tunneled 283 305
Frames replayed 0 0Frames dropped byqueue
0 0
Table1: Different parameters observed for Wormhole All Drop
4.1.2 Wormhole All Pass:
PURPOSE :-To test the case when the wormhole passes ALL packets including both control packets and data packets.
SCENARIO :-Totally 6 nodes in the scenario. Node 2 and 4 are wormhole terminals in theadversarial wireless subnet.
Wormhole All Pass
-
7/28/2019 ANOMALY DETECTION IN MANET
18/26
ANOMALY DETECTION IN MANET NOVEMBER 2011
Page 18
In case of Wormhole nodes 2 and 4 the different parameters observed are given below:
Node 2 Node 4Frames intercepted all 1833 1811Frames dropped bywormhole
0 0
Frames tunneled 1125 1122
Frames replayed 1122 1125Frames dropped byqueue
0 0
Table2: Different parameters observed for Wormhole All Pass
-
7/28/2019 ANOMALY DETECTION IN MANET
19/26
-
7/28/2019 ANOMALY DETECTION IN MANET
20/26
ANOMALY DETECTION IN MANET NOVEMBER 2011
Page 20
In case of Wormhole nodes 2 and 4 the different parameters observed are given below:
Node 2 Node 4
Frames intercepted all 35212531
Frames dropped bywormhole
739 0
Frames tunneled 3504 2531
Frames replayed 2522 2756
Frames dropped byqueue
0 0
Table3: Different parameters observed for Wormhole propagation delays
4.1.4 Wormhole Replay
PURPOSE :-To test the wormhole replay function with all packets going through thewormhole link.
SCENARIO :-Totally 6 nodes in the scenario. Node 2 and 4 are wormhole terminals in theadversarial wireless subnet.
Wormhole Replay
-
7/28/2019 ANOMALY DETECTION IN MANET
21/26
ANOMALY DETECTION IN MANET NOVEMBER 2011
Page 21
In case of Wormhole nodes 2 and 4 the different parameters observed are given below:
Node 2 Node 4Frames intercepted all 150 120Frames dropped bywormhole
0 0
Frames tunneled 150 120
Frames replayed 120 150
Frames dropped byqueue
0 0
Table4: Different parameters observed for Wormhole propagation delays5. Wormhole Threshold
PURPOSE :-To test the wormhole tunneling function with a user-defined threshold value (72 bytes in this case).
SCENARIO :-Totally 6 nodes in the scenario. Node 2 and 4 are wormhole terminals in theadversarial wireless subnet.
-
7/28/2019 ANOMALY DETECTION IN MANET
22/26
ANOMALY DETECTION IN MANET NOVEMBER 2011
Page 22
Wormhole Threshold
-
7/28/2019 ANOMALY DETECTION IN MANET
23/26
ANOMALY DETECTION IN MANET NOVEMBER 2011
Page 23
In case of Wormhole nodes 2 and 4 the different parameters observed are given below:
Node 2 Node 4Frames intercepted all 111 15
Frames dropped bywormhole 12 0
Frames tunneled 39 15
Frames replayed 15 27
Frames dropped byqueue
0 0
Table 5: Different parameters observed for Wormhole threshold
4.1.6 Wormhole Tunnelling
PURPOSE :-To test the wormhole tunneling function with all packets tunneled through thewormhole link.
SCENARIO :-Totally 6 nodes in the scenario. Node 2 and 4 are wormhole terminals in theadversarial wireless subnet.
Wormhole Tunnelling
-
7/28/2019 ANOMALY DETECTION IN MANET
24/26
ANOMALY DETECTION IN MANET NOVEMBER 2011
Page 24
In case of Wormhole nodes 2 and 4 the different parameters observed are given below:
Node 2 Node 4Frames intercepted all 150 120Frames dropped bywormhole
0 0
Frames tunneled 150 120
Frames replayed 120 150
Frames dropped byqueue
0 0
Table6: Different parameters observed for Wormhole Tunneling
-
7/28/2019 ANOMALY DETECTION IN MANET
25/26
ANOMALY DETECTION IN MANET NOVEMBER 2011
Page 25
CHAPTER 5
Conclusion
In this project we have studied the wormhole attack, which is a powerful attack that can haveserious consequences on many proposed ad hoc network routing protocols. In this work wesimulated the wormhole attack considering various scenarios using QualNet and studied the
performance of the adhoc network in terms of different parameters.
-
7/28/2019 ANOMALY DETECTION IN MANET
26/26
ANOMALY DETECTION IN MANET NOVEMBER 2011
REFERENCES
[1] Yih-Chun Hu, Adrian Perring and David B. Johnson, Wormhole Attacks in Wireless
Networks
[2] Khin Sandar Win, Pathein Gyi, Analysis of Detecting Wormhole Attack in Wireless Networks
[3] QualNet-5.0.2-UsersGuide.pdf
[4] T.V.P.Sundararajan, Dr. A.Shanmugam, Behavior Based Anomaly Detection Techniqueto Mitigate the Routing Misbehavior in MANET.
[5] N. Song, L. Qian, X. Li, Wormhole Attack Detection in Wireless Ad Hoc Networks: aStatistical Analysis Approach, Parallel and Distributed Processing