Misuse Detection and Prevention in Ad-hoc Networks

Generally, a computer using a wireless network will communicate to other computers through a base station. The base station transmits and receives packets wirelessly, but also connects to a landline and a wired network (ie. the Internet). However, there are situations where a base station does not exist, but users still wish to transmit to other computers. Situations like this include Native American reservations, underdeveloped nations and mobile warfare scenarios. There exist users with wireless connections, but no wired network infrastructure. Base station installations and an underlying wired network would be too costly. The solution to these situations is ad-hoc networking. Each wireless computer has a range for its transmission. If the source wants to transmit information to a destination computer and it is not within range, it will use its neighbors to relay the message. Unfortunately, with this type of networking, new security issues are introduced. In a wired scenario with base stations, all traffic with pass through a relatively small number of points. Security monitoring for various attacks can be done at these points. In ad hoc networks, these points do not exist, so a new system must be developed. In this project, we consider two separate types of systems, Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS). An IDS system raises alerts whenever bad traffic is discovered. Bad traffic is any packets that when received and processed by the destination, might be harmful to a system. An IPS actively drops bad traffic when it is discovered. In both systems, the goal is to use the fewest resources, but still guarantee that all traffic will be analyzed. In IDS, this means all bad packets should be detected. In IPS, this means all bad packets should be dropped. IDS systems take advantage of the promiscuous mode of operation in wireless because a node can listen to all the transmissions in his range. To minimized resource consumption, the goal of IDS becomes running the system on the fewest number of nodes possible, yet still guarantee complete coverage by guaranteeing the transmission of each node will be heard by at least on node running detection software. We consider a simple dominating set (DS) node selection algorithm and compare it to a naïve algorithm where each node activates its detection software with certain probability. In this project, the DS algorithm is proven to guarantee complete coverage, is implemented and compared to an implementation of RP. Promiscuous mode allows a node to listen to all traffic in range, but this is not as beneficial to an IPS because the nodes must be able to stop a bad packet’s transmission after it is detected. So, the node must be able to somehow control the packets transmission. One way to solve this problem is to have the scanning node tell the transmitting node not to send a bad packet after it is detected, but this would mean that nodes have to hold each packet until receiving a response from an IPS active neighbor, which is basically unfeasible. So, for a bad packet to feasibly be dropped, one node along its path must be running IPS to drop the packet. So, the goal of IPS becomes scanning each packet once along the path. We consider four different modes of operation, first hop, last hop, both first and last hop and randomly placed any hop.