distributed intrusion detection for mobile ad hoc networks
TRANSCRIPT
Journal of Systems Engineering and Electronics
Vol. 19, No. 4, 2008, pp.851–859
Distributed intrusion detection for mobile ad hoc networks∗
Yi Ping1,2, Jiang Xinghao1, Wu Yue1 & Liu Ning1
1. School of Information Security Engineering, Shanghai Jiaotong Univ., Shanghai 200030, P. R. China;
2. State Key Lab of Information Security, Graduate School of Chinese Academy of Sciences, Beijing 100039, P. R. China
(Received March 10, 2007)
Abstract: Mobile ad hoc networking (MANET) has become an exciting and important technology in recent
years, because of the rapid proliferation of wireless devices. Mobile ad hoc networks is highly vulnerable to attacks
due to the open medium, dynamically changing network topology, cooperative algorithms, and lack of centralized
monitoring and management point. The traditional way of protecting networks with firewalls and encryption
software is no longer sufficient and effective for those features. A distributed intrusion detection approach based
on timed automata is given. A cluster-based detection scheme is presented, where periodically a node is elected
as the monitor node for a cluster. These monitor nodes can not only make local intrusion detection decisions, but
also cooperatively take part in global intrusion detection. And then the timed automata is constructed by the way
of manually abstracting the correct behaviours of the node according to the routing protocol of dynamic source
routing (DSR). The monitor nodes can verify the behaviour of every nodes by timed automata, and validly detect
real-time attacks without signatures of intrusion or trained data. Compared with the architecture where each node
is its own IDS agent, the approach is much more efficient while maintaining the same level of effectiveness. Finally,
the intrusion detection method is evaluated through simulation experiments.
Keywords: mobile ad hoc networks, routing protocol, security, intrusion detection, timed automata.
1. Introduction
Mobile ad hoc networks are the collection of wirelesscomputer, communicating among themselves overpossible multi-hop paths, without the help of any in-frastructure, such as base stations or access points[1].Nodes in mobile ad hoc network collaboratively con-tribute to routing functionality by forwarding packetsfor each other to allow nodes to communicate beyonddirect wireless transmission range, hence practicallyall nodes may act as both hosts and routers. Mobilead hoc networks require no centralized administrationor fixed network infrastructure and can be quickly andinexpensively set up as needed. They can thus be usedin scenarios where no infrastructure exists, such asmilitary applications, emergent operations, personal
* This project was supported by the National High Technology Development “863” Program of China (2006AA01Z436,2007AA01Z452); the National Natural Science Foundation of China(60702042).
electronic device networking, and civilian applicationslike an ad-hoc meeting or an ad-hoc classroom.
With more and more application, security for mo-bile ad hoc networks becomes increasingly important.Several secure solutions for mobile ad hoc networkshave been proposed by far[2-3]. But most of them arekey management and authentication[4-5], secure rout-ing protocol[6]. Most of those are prevention tech-niques. The prevention methods, such as encryp-tion and authentication, used in mobile ad hoc net-works can reduce attacks, but hardly eliminate them.When nodes roam in a hostile environment with rela-tively poor physical protection, they have the proba-bility of being compromised. The compromised nodesmay launch attacks within the networks[7]. Encryp-tion and authentication cannot defend against com-
852 Yi Ping, Jiang Xinghao, Wu Yue & Liu Ning
promised nodes, which carry the private keys. In ad-dition, a perfect protective security solution for allpractical purposes is impossible, and no matter howmany intrusion prevention measures are inserted innetworks, there are always some weak links that onecould exploit to break in. Intrusion detection shouldbe the second wall of defence for security in mobile adhoc networks.
This article analyzes some of the vulnerabilities,specifically discussing attacks against DSR that ma-nipulate the routing messages. We propose a solutionbased on timed automata intrusion detection to detectattacks on DSR.
First, we design the distributed and cooperative in-trusion detection architecture, which are composed ofdistribute monitor nodes. Intrusion detection in mo-bile ad hoc networks must be carried out in a dis-tributed fashion because of the absence of infrastruc-ture and the centre administration. Each networkmonitor node runs independently and monitors allnodes in its zone to find the local intrusions. Totrack some moving nodes, they may exchange infor-mation with neighbouring monitors. Considering re-source constraint, only some nodes in mobile ad hocnetworks are selected as network monitors. We de-scribe an algorithm in which the nodes can periodi-cally, randomly, and fairly elect a monitor node forthe entire zone.
Second, we propose a timed automata-based intru-sion detection system, which can detect attacks onthe DSR routing protocol. In the timed automata-based intrusion detection, the correct behaviours ofcritical objects are manually abstracted and crafted assecurity specifications, and this is compared with theactual behaviour of the objects. The technique maydetect previously unknown attacks, while exhibiting alow false positive rate. Network monitors trace dataflow on every node and audit every forwarding packetby automata. If some node behaves in an incorrectmanner, it will be found and some alarm will be sentout.
2. Related work
The papers of mobile ad hoc networks security canbe classified into three categories: key management,
secure network routing, and intrusion detection. Cap-kun, Buttyan, and Hubaux proposed a fully self-organized public key management system that can beused to support security of ad hoc network routingprotocols[8]. Zhou and Hass first proposed thresholdcryptography to securely distribute the certificate au-thority private key over multiple nodes to form a col-lective CA service[9]. Routing security has been mostnoted by its absence early in the discussion and re-search on ad hoc routing protocols. Since then sev-eral ad hoc routing protocols that include some secu-rity services have been proposed: SRP[10], Ariadne[11],ARAN[12], SEAD[13]. SRP[10] assumed the existenceof shared secrets between all pairs of communicat-ing nodes and leverages this for MAC authentication,such that fake route requests are not accepted at thedestination and routes set in route replies cannot bemodified. Ariadne[11] obtained end-to-end authentica-tions by one-way hash chain and MAC authentication.ARAN[12] relied on public key certificates to retainhop-by-hop authentications. SEAD[13] used elementsfrom an one-way hash chain to provide authenticationfor both the sequence number and the metric in eachentry.
Zhang and Lee described a distributed and coop-erative intrusion detection model[14]. In this model,an IDS agent runs at each mobile node and performslocal data collection and local detection, whereas co-operative detection and global intrusion response canbe triggered when a node reports an anomaly. Themain contribution of the article is that it presents adistributed and cooperative intrusion detection archi-tecture based on statistical anomaly detection tech-niques. However, the design of actual detection tech-niques, their performance as well as verification werenot addressed in the article. Zhang and Lee de-scribed some experiments and performance in Ref.[15]. Oleg Kachirski and Ratan Guha proposed a dis-tributed intrusion detection system based on mobileagent technology[16]. In contrast to the above archi-tecture, the agents in [14] do not run on every nodeand they can be dynamically increased and decreasedaccording to the resource of networks. Its architectureis aimed to minimize costs of network monitoring andmaintaining a monolithic IDS system.
Distributed intrusion detection for mobile ad hoc networks 853
R. S. Puttini et al proposed a distributed and mod-ular architecture for IDS[17], and a signatures-basedapproach is proposed to detect two types of intrusion.The architecture may not detect unknown attack. Yi-an Huang and Wenke Lee addressed a cooperative in-trusion detection system for ad hoc networks[18]. Inthe article, a set of rules is presented to identify thetype of attack or misbehaving nodes. But the authorignored the attack of modification.
Bo Sun et al presented a intrusion detection agentmodel which utilizes a Markov chain based anomalydetection algorithm to construct the local detectionengine[19]. P. Albers et al presented a general intru-sion detection architecture using agent[19]. In the ar-chitecture, the agents choose to use simple networkmanagement protocol (SNMP) data located in man-agement information bases (MIB) as the audit source.S. Bhargava and D. P. Agrawal presented the intru-sion detection and intrusion response model for ad hocnetworks[21]. Wang Weichao et al presented the de-tection of false destination sequence numbers carriedin RREQ packet[22]. Subhadrabandhu D. presenteda framework for misuse detection, which includes twoapproximation algorithms that approximate the opti-mal solution within a constant factor, and proved thatthey attain the best possible approximation ratios[23].Chinyang Henry Tseng proposed a specification-basedintrusion-detection model for ad hoc routing protocolsin which network nodes are monitored for operationsthat violate their intended behaviour[24].
3. Background
3.1 Overview of DSR
The dynamic source routing (DSR)[25] is an entirelyon-demand ad hoc network routing protocol, whichis composed of two parts: route discovery and routemaintenance. In DSR, whenever a node needs to senda packet to some destination for which does not cur-rently have a route to that destination in its routecache, the node initiates route discovery to find aroute. The initiator broadcast a ROUTE REQUESTpacket to its neighbours, specifying the target and aunique identifier from the initiator. Each node re-ceives the ROUTE REQUEST, if it has recently seen
this request identifier from the initiator, discards theREQUEST. Otherwise, it appends its own node ad-dress to a list in the REQUEST and rebroadcasts theREQUEST. When the ROUTE REQUEST reachesits target node, the target sends a ROUTE REPLYback to the initiator of the REQUEST, including acopy of the accumulated list of addresses from theREQUEST. When the REPLY reaches the initiatorof the REQUEST, it caches the new route in its routecache. The intermediate node also sends a ROUTEREPLY, if it has a route to the destination.
Route maintenance is the mechanism by which anode sends a packet along a specified route to somedestination detects if that route has broken. If, af-ter a limited number of local retransmissions of thepacket, a node in the route is unable to make this con-firmation, it returns a ROUTE ERROR to the originalsource of the packet, identifying the link from itself tothe next node as broken. The sender then removesthis broken link from its route cache; for subsequentpackets to this destination, the sender may use anyother route to that destination in its cache, or it mayattempt a new route discovery for that target if nec-essary.
3.2 Timed automata
Timed automata[26] were introduced as a formal no-tation to model the behaviour of real-time systems.A timed automaton is a finite automaton augmentedwith a finite set of clocks. The vertices of the automa-ton are called locations, and edges are called switches.While switches are instantaneous, time can elapse in alocation. A clock can be reset to zero simultaneouslywith any switch. At any instant, the reading of a clockequals the time elapsed as the last time it was reset.With each switch, we associate a clock constraint andrequire that the switch may be taken only if the cur-rent values of the clocks satisfy this constraint. Timedautomata accept timed words, that is, strings of sym-bols tagged with occurrence times.
3.3 Vulnerabilities and attacks for DSR
3.3.1 Modification attack
DSR does not address security concerns, so it allows
854 Yi Ping, Jiang Xinghao, Wu Yue & Liu Ning
intruders to easily launch various types of attacks bymodifying the route information. In DSR, some criti-cal fields such as source address, destination address,and address list are very important and any misuse ofthese fields can cause DSR malfunction. An intrudermay make use of the following ways against DSR.
When forwarding a packet, the attacker can insert,delete, and modify the address list. Malicious nodescan cause redirection of network traffic and denial ofservice attacks by altering control message fields or byforwarding routing messages with falsified values.
For example, there are five nodes: A, B, C, D,and E. A is an origination node and E is destination.Figure 1 illustrates the normal process when nodes re-ceive and forward route packets. The upper line showsthe process of ROUTE REQUEST and the letters in-dicate address list in ROUTE REQUEST. When anode receives the ROUTE REQUEST, it appends itsown node address to the address list in the REQUESTand rebroadcasts the REQUEST. The lower line showsthe process of ROUTE REPLY and the letters indi-cate address list in ROUTE REPLY.
Fig. 1 The address list of packet when forwarding ROUTE
REQUEST and replying ROUTE REPLY
Figure 2 illustrates an example of modification at-tack. Node C is an attacker. When node C receivesROUTE REPLY, it deletes the address of node D inaddress list. As a result, origination A will set up theerror path “ABCE” when it receives the ROUTE RE-PLY. When origination A sends packets by the errorpath, these packets cannot get to the destination with-out forwarding by node D. The above modificationresult is in denial of service. Similarly, the attackermay alter the address list when it forwards ROUTEREQUEST or data packets. In addition, the attackermay modify the source address or destination addressin a packet when it forwards the packet.
Fig. 2 Altering address list of ROUTE REPLY
3.3.2 Drop attack
If a malicious node to join a network or compromisea legitimate node, it can silently drop some or all thedata packets transmitted to it for further forwarding.We call it as drop attack. Malicious packet drop at-tack is a serious threat to the routing infrastructureof mobile ad hoc networks, as it is easy to launch anddifficult to detect. Especially in dynamic topology ofmobile ad hoc networks, it is difficult to differentiatemalicious dropping packet from link broken.
3.3.3 Impersonation attack
Impersonation attack occurs when a node misrepre-sents its identity in the network, such as by alteringits IP address in outgoing packets, and is readily com-bined with modification attacks. Such as, the attackerC can send a lot of attacking packets to node E by im-personate node A in Fig. 1. The attacker C fills theoriginated address of attacking packet with address A.When node E receives attacking packets, it makes ajudgment that the attacker is node A. The attackerC not only succeeds in attacking the victim, but alsohides its malicious attack.
3.3.4 Fabrication attack
The generation of false routing messages can be clas-sified as fabrication attacks. Such attacks can be dif-ficult to verify as invalid constructs, especially in thecase of fabricated error messages that claim a neighborcannot be contacted.
DSR implement path undergoes maintenance to re-cover broken paths when nodes move. If the sourcenode moves and the route is still needed, route dis-covery is reinitiated with a new route discovery. Ifthe destination node or an intermediate node alongwith an active path moves, the node upstream of thelink break broadcasts a ROUTE ERROR to all activeupstream neighbors. The node also invalidates theroute for this destination in its routing table. The vul-nerability is that routing attacks can be launched bysending fabrication ROUTE ERROR messages. Sup-pose node A has a route to node E via nodes B, C,D, as shown in Fig. 1. The malicious node C canlaunch a denial-of-service attack against E, by contin-ually sending route error messages to spoofing node
Distributed intrusion detection for mobile ad hoc networks 855
D, indicating a broken link between nodes D and E.B receives the spoofed ROUTE ERROR and thinksthat it came from D. B deletes its routing table en-try and forwards the ROUTE ERROR message on toA, who also deletes its routing table entry. The at-tacker succeeds in the cut off path between A and Eby fabricating the ROUTE ERROR.
4. Intrusion detection for DSR
4.1 Algorithm of voting monitor
The resources of battery power, CPU, and memory innodes are limited, and it is not efficient to make eachnode a monitor node. As a result, we may select somenodes as monitors to monitor the entire networks tosave networks resource. The network monitor is thenode, which monitors the behavior of nodes within itsmonitor zone. The monitor zone is 1-hop vicinity ofthe monitor.
The process of voting monitor should guaranteefairness and randomness. By fairness, we mean thatevery node should have a fair chance to serve as amonitor. Note that fairness has two components, fairelection, and equal service time. We currently do notconsider differentiated capability and preference andassume that every node is equally eligible. Thus, fairelection implies randomness in election decision, whileequal service time can be implemented by periodicalfair re-election. The randomness of the election pro-cess can guarantee security. When some monitor nodeis compromised, it may not carry out the normal mon-itoring function and can launch certain attacks with-out being detected because it is the only node in thezone that is supposed to run the IDS, and its IDSmay have been disabled already. But after a serviceperiod, another node may be selected as monitor. Atthat time, the intrusion will be found by the normalmonitor node.
The algorithm is composed of two parts, namely se-lection phase and maintain phase. In selection phase,the monitor is selected by competition. At first thereis no monitor in networks. After a period, any nodemay broadcast the packet “I am a monitor” and be-comes a monitor. The packet cannot be forwarded.Any node who receives the announcement becomes a
monitored node and cannot broadcast the announce-ment. When a monitor is selected, the selection phaseis finished and goes to the maintain phase. In main-tain phase, the monitor broadcasts the announcementperiodically to keep up its monitor role. After a pe-riod, the monitor will terminate its monitor work anda new selection phase will begin. To insure fairnessand randomness of selection, the predecessor does nottake part in the process of selection, unless it is theonly node in the entire zone.
The monitors or nodes may move out of the zonedue to dynamic topology. If any node does receive theannouncement packet overtime, it can start selectionprocess and declare that it is a monitor. Figure 3shows monitors and their monitor zones. When twomonitors move next to each other over an extendedperiod of time, one whose ID is bigger will lose its roleas monitor. As a result, whenever a monitor hearsannouncement messages from another monitor, it setssome time to expire. When expired, it will check if it isstill in contention with the monitor, by checking if themonitor is still in its neighborhood. If so, it comparesits own ID with that of the other monitors. The onewith a smaller ID will continue to act as monitor. Theone with a bigger ID gives up its role as monitor.
Fig. 3 Monitor and its monitor zone
4.2 Timed automata for DSR
A monitor employs the timed automata for detectingincorrect behavior in a node. It maintains the timedautomata for each data flow in each node. In DSR,a node can receive and forward four types of packets,i.e. ROUTE REQUEST, ROUTE REPLY, ROUTEERROR, and DATA. We first address how to dealwhen the node receives four packets.
Figure 4 shows the constraints of timed automata.The start state is S1. When the node receives a
856 Yi Ping, Jiang Xinghao, Wu Yue & Liu Ning
packet, automata go to state S2. If the packetis ROUTE REQUEST, automata go to state S3and clock t1 set to be 0. We set up the specifiedtime T 1, and think that the node has discarded thepacket if the node does not forward or reply thepacket within T 1. If it is the target of the ROUTEREQUEST, the node returns a ROUTE REPLYto the initiator of the ROUTE REQUEST withinT 1. Automata go to state S4 and check the packetof ROUTE REPLY according to routing protocol.If some fields of ROUTE REPLY are maliciouslymodified, automata go to state alarm1 and alertmodification alarm. Otherwise, automata go toterminal state S7. If this node has recently seen thesame ROUTE REQUEST, it discards the packet andautomata go to terminal state S7. If the node for-wards the ROUTE REQUEST within T 1, automata
Fig.4 The timed automata when received packet
go to state S5 and check the forwarded packet ac-cording to routing protocol. If some fields of ROUTEREQUEST are maliciously modified, automata go tostate alarm1 and alert modification alarm. Otherwise,automata go to terminal state S7. If the packet hasnot been forwarded after a specified time T 1, the mon-itor inquires neighbor and automata go to state S6.At the same time, clock t2 set to be 0. Sometimes, thenode may move out of the zone of the monitor and themonitor can not hear that it has forwarded the packet.Therefore, the monitor inquires neighboring monitorswhether it has forwarded the packet. If neighbor hasreceived the packet, he will send it to the monitor forcomparison. We set up a specified time T 2, and thinkthat neighbor nodes receive the packet if some neigh-bors answer the enquiry within T 2. If clock t2 > T 2and no neighbor provide answers, it implies no neigh-
Distributed intrusion detection for mobile ad hoc networks 857
bor has received the packet. Automata go to stateAlarm2 and alert the alarm of drop packet. If neighboranswers the enquiry within T 2, automata go to stateS8. Then if the packet is ROUTE REPLY, automatago to state S4. Otherwise automata go to state S5.
We use the same automata process for the otherthree kinds of packets, i.e. ROUTE REPLY, ROUTEERROR, DATA, as they are disposed at the same pro-cess. The start state is S1. When the node receivesa packet, automata go to state S2. If the packet isone of the three packets, automata go to state S9 andclock t1 set to be 0. If the node is the destinationof the packet, automata go to terminal state S12. Ifthe node forwards the packet within T 1, automata goto state S10 and check the forwarded packet accord-ing to routing protocol. If some fields of the packetare maliciously modified, automata go to state alarm1and alert modification alarm. Otherwise, automata goto terminal state S12. When the node does not for-ward the packet within a period time T 1, the monitorwill inquire its neighbouring monitors. If some neigh-bour received the packet, it will sendit to the moni-tor for comparison within T 2. Then Automata go tostate S11 and clock t2 gets set to 0. Otherwise, if noneighbour provides answer for the enquiry within T 2,automate go to state Alarm2.
Figure 4 shows the process when a node receives apacket. Figure 5 illustrates the process when a no-de sends a packet. And the packet is not heard bythe monitor, otherwise the process is as shown inFig. 4. The start state is S1. When the node mon-
Fig.5 The timed automata when node sends a packet
itors that the monitored node receives a packet, au-tomata go to state S2. Then, if the packet is an orig-inated packet, automata go to state S4. The monitorcompares the source address of packet with the ad-dress of the node, which has sent the packet. If twoaddresses are maching, automata go to terminal state.Otherwise, automata go to state Alarm3 and alert im-personation alarm. Alarm 3 implies that the nodeis impersonating another node by misrepresenting itsidentity. If the packet is a forwarded packet, automatago to state S3 and clock t3 gets set to 0. S3, indi-cating that the packet has been received before, butthe monitor has not received the packet. Therefore,if one of the neighbouring nodes inquires the packet,we can infer that the packet is indeed received andforwarded. The monitor sends the packet messagesto neighbour and automata go to terminal state. Ifit does not receive enquiry after a specified time T 3,the monitor will inquire neighbour for the packet. Ifsome neighbour received the packet, it will answer themonitor within T 2. Automata go to terminal state. Ifno neighbour answers in a specified time T 2, it impliesthat no neighbour received the packet once. Automatago to Alarm4, and the node may fabricate a packet.
5. Experimental results
To study the feasibility of our intrusion detectionapproach, we have implemented intrusion detection ina network simulator and conducted a series of experi-ments to evaluate its effectiveness. We use the wirelessnetworks simulation software, from network simulator
858 Yi Ping, Jiang Xinghao, Wu Yue & Liu Ning
ns-2. It includes simulation for wireless ad-hoc net-work infrastructure, popular wireless ad-hoc routingprotocols (DSR, DSDV, AODV and others), and mo-bility scenario and traffic pattern generator.
Our simulations are based on a 1 500 by 300 me-ter flat space, scattered with 50 wireless nodes. Thenodes move from a random starting point to a ran-dom destination with a speed that is randomly cho-sen. The speed is uniformly distributed between 0–20 m/s. As the destination is reached, another randomdestination is targeted after a pause time. The MAClayer used for the simulations is IEEE 802.11, whichis included in the ns-2. The transport protocol usedfor our simulations is user datagram protocol (UDP).Each data packet is 512 bytes long. The traffic files aregenerated such that the source and destination pairsare randomly spread over the entire network. Thenumber of sources is 10 in the network. The scenariofiles determine the mobility of the nodes. The mobilitymodel used random way point model in a rectangularfield. Duration of the simulations is 900 s.
The simulations have been performed with mali-cious node created in the network and DSR protocolintegrated with our intrusion detection model. By theanalysis of Section 2, we simulate 4 types of attack.Attack 1 is illegal modification in which the intruderillegally inserts, deletes, and modifies the address listwhen the intruder forwards a packet. Attack 2 is todrop packets in which the intruder does not forwardany packets and only receives packets. Attack 3 isimpersonation in which the intruder impersonate an-other node send some packets, such as ROUTE RE-QUEST, ROUTE REPLY, and ROUTE ERROR. At-tack 4 is fabrication in which the intruder forges somepackets which are not sent by the initiator. Table 1shows the detection rates and false alarms rates. Thedetection rate of attack 3 is the highest. The mainreason may be that the monitor directly compares thesource address of packet with the address of the node,which has sent the packet and the monitor does notrequire the information from other monitors. The de-tection rate of attack 2 is lowest. The main reasonmay be that the monitor has to get information fromthe other monitors before it makes a judgment. Fromthe simulation results, we can draw a conclusion that
this approach can detect intrusion efficiently with lowfalse alarm rate.
Table 1 Detection performance(/%)
Attack type Detection rate False alarm rate
Attack 1 91.3 2.9
Attack 2 83.7 5.7
Attack 3 97.4 1.3
Attack 4 88.5 7.2
6. Conclusions
We propose a timed automata-based intrusion detec-tion system that can detect attacks on the DSR. Inthe system, first we propose an algorithm of selectingmonitor for the distributed monitoring of all nodes innetworks. Second, we manually abstract the correctbehaviors of the node according to DSR and com-pose the timed automata of node behavior. Intru-sions, which usually cause node to behave in an incor-rect manner, can be detected without trained date orsignature. Meanwhile, our IDS can detect unknownintrusion with fewer false alarms.
References
[1] Corson S, Macker J. Mobile ad hoc networking (MANET):
routing protocol performance issues and evaluation consid-
erations. RFC 2501, 1999.
[2] Yi Ping, Jiang Yichuan, Zhong Yiping, et al. A survey of
security for mobile ad hoc networks. ACTA Electronica
Sinica, 2005, 33(5): 893–899.
[3] Yi Ping, Zou Futai, Jiang Xinghao, et al. Muti-agent coop-
erative intrusion response in mobile ad hoc networks. Jour-
nal of Systems Engineering and Electronics, 2007,18(4):
785–794.
[4] Ramkumar M, Memon N. An efficient key predistribution
scheme for ad hoc network security. IEEE Journal on Se-
lected Areas of Communication, 2005, 23(3): 611–621.
[5] Zhu Sencun, Xu Shouhuai, Setia Sanjeev, et al. LHAP:
a lightweight network access control protocol for ad hoc
networks. Ad Hoc Networks, 2006, 4(5): 567–585.
[6] Argyroudis P G, O’Mahony D. Secure routing for mobile
ad hoc networks. IEEE Communications Surveys & Tuto-
rials, 2005, 7(3): 2–21.
[7] Yi Ping, Jiang Yichuan, Zhong Yiping, et al. A survey
of secure routing for mobile ad hoc networks. Computer
Distributed intrusion detection for mobile ad hoc networks 859
Science, 2005, 32(6): 37–40.
[8] Capkun Srdjan, Nuttyan Levente, Hubaux Jean-Pierre.
Self-organized public-key management for mobile ad hoc
networks. IEEE Trans. on Mobile Computing, 2003, 2(1).
[9] Zhou Lidong, Haas Zygmunt J. Securing ad hoc networks.
IEEE Networks Special Issue on Network Security, 1999.
[10] Papadimitratos P, Haas Z. Secure routing for mobile ad hoc
networks. Proc. of the SCS communication Networks and
Distributed Systems Modeling and Simulation Conference,
San Antonio, TX, 2002.
[11] Hu Yih-chun, Perrig Adrian, Johnson David B. Ariadne:
A secure on-demand routing protocol for ad hoc networks.
Proc. of the MobiCom, Atlanta, Georgia, USA, 2002.
[12] Kimaya Sanzgiri, Bridget Dahill, Brian Neil Levine, et
al. A secure routing protocol for ad hoc networks. Proc.
of IEEE International Conference on Network Protocols,
2002.
[13] Hu Yih-chun, Johnson David B, et al. SEAD: secure ef-
ficient distance vector routing for mobile wireless ad hoc
networks. Ad Hoc Networks, 2003, 1(1): 175–192.
[14] Zhang Yongguang, Lee Wenke. Intrusion detection in
Wireless ad-hoc networks. Proc. of the Sixth Interna-
tional Conference on Mobile Computing and Networking,
Boston, MA, 2000.
[15] Zhang Yongguang, Lee Wenke. Intrusion detection tech-
niques for mobile wireless networks. Mobile Networks and
Applications, 2003.
[16] Kachirski Oleg, Guha Ratan. Intrusion detection using
mobile agents in wireless ad hoc networks. IEEE Workshop
on Knowledge Media Networking, 2002.
[17] Puttini R S, Percher J-M, Me L, et al. A modular ar-
chitecture for distributed IDS in MANET. Proc. of the
International Conference on Computational Science and
Its Applications, Springer Verlag, LNCS 2668, San Diego,
USA, 2003.
[18] Huang Yi-an, Lee Wenke. A cooperative intrusion detec-
tion system for ad hoc networks. ACM Workshop on Se-
curity of Ad Hoc and Sensor Networks, Fairfax, VA, USA,
2003.
[19] Sun B, Wu K, Pooch U W. Routing anomaly detection
in mobile ad hoc networks. Proc. of 12th International
Conference on Computer Communications and Networks,
Dallas, Texas, 2003: 25–31.
[20] Albers P, Camp O, Percher J M, et al. Security in Ad
hoc networks: a general intrusion detection architecture
enhancing trust based approaches. Proc. of the First In-
ternational Workshop on Wireless Information Systems,
2002.
[21] Bhargava S, Agrawal D P. Security enhancements in AODV
protocol for wireless ad hoc networks. Vehicular Technol-
ogy Conference, 2001, 4: 2143–2147.
[22] Wang Weichao, Lu Yi, Bhargava Bharat K. On vulnera-
bility and protection of ad hoc on-demand distance vector
protocol. Proc. of 10th IEEE International Conference on
Telecommunication, 2003.
[23] Subhadrabandhu D, Sarkar S, Anjum F. A framework for
misuse detection in ad hoc networks—Part I. IEEE Journal
on Selected Areas in Communications, 2006, 24(2): 274–
289.
[24] Tseng Chinyang, Henry Songtao, Balasubramanyam
Poornima, et al. A specification-based intrusion detection
model for OLSR. RAID, LNCS 3858, 2006: 330–350.
[25] Johnson David B, Maltz David A, Hu Yih-chun.
The dynamic source routing protocol for mobile ad
hoc networks (DSR). <draft-ietf-manet-dsr-10.txt>, 19
July http://www.ietf.org/internet-drafts/draft-ietf-manet-
dsr-10.txt, 2004.
[26] Alur R, Dill D L. A theory of timed automata. Theoretical
Computer Science, 1994, 126:183–235.
Yi Ping was born in 1969. He received the B. S.degree in computer science and engineering from thePLA University of Science and Technology, Nanjing,in 1991. He received the M. S. degree in computerscience from Tongji University, Shanghai, in 2003. Hereceived the Ph. D. degree in computing and infor-mation technology, from Fudan University, China in2005. Now he is an associate professor. His researchinterests include mobile computing and ad hoc net-works security. E-mail: [email protected]