An Artificial Immune System for Misbehavior Detection in Mobile Ad-Hoc Networks with Virtual Thymus, Clustering, Danger Signal, and Memory Detectors

Nodes that build a mobile ad-hoc network participate in a common routing protocol in order to provide multi-hop radio communication. Routing defines how control information is exchanged between nodes in order to find the paths between communication pairs, and how data packets are relayed. Such networks are vulnerable to routing misbehavior, due to faulty, selfish or malicious nodes. Misbehavior disrupts communication, or even makes it impossible in some cases. Misbehavior detection systems aim at removing this vulnerability. For this purpose, we use an Artificial Immune System (AIS) approach, i.e, an approach inspired by the human immune system (HIS). Our goal is to make an AIS that, analogously to its natural counterpart [16], automatically learns and detects new misbehavior, but becomes tolerant to previously unseen normal behavior. We achieve this goal by adding some new AIS concepts to those that already exist: (1) the “virtual thymus”, which provides a dynamic description of normal behavior in the system; (2) “clustering” is a decision making method that reduces the false-positive detection probability and minimizes the time until detection; (3) we apply the “danger signal” approach, that is recently proposed in AIS literature [5, 6] as a way to obtain feedback from the protected system and use it for correct learning and final decisions making; (4) we use “memory detectors”, a standard AIS solution to achieve fast secondary response. We implement our AIS in a network simulator and test it on two types of misbehavior. Performance analysis shows the following effects on the detection capabilities: (1) the virtual thymus enables the system to: (a) learn and detect misbehavior without use of the preliminary misbehavior-is-absent training phase, and (b) have low false positive detections even if normal behavior changes over time; (2) clustering and danger signal are useful for achieving low false positives; (3) memory detectors significantly accelerate the secondary response of the system. ? The authors are with EPFL, Lausanne, Switzerland. The work presented in this paper was supported (in part) by the National Competence Center in Research on Mobile Information and Communication Systems (NCCR-MICS), a center supported by the Swiss National Science Foundation, under the grant number 5005-67322. 2 S. Sarafijanović and J. Y. Le Boudec