Intrusion Detection System in mobile ad hoc network in MAC layer

Master's Thesis, 2013

50 Pages, Grade: C



I. Declaration

II. Approved Research Topic

III. Abstract

IV. Certificate

V. Acknowledgement

VI. Table Of Content

VII. List Of Figures

VIII. List Of Abbreviations

Chapter 1. Introduction
1.1 Mobile Adhoc Network.
1.1.1 History of Mobile Adhoc Networks
1.1.2 Overview Of Mobile Adhoc Networks
1.1.3 Adhoc Routing Protocols for MANET Table Driven Protocols
· DestinationSequenced DistanceVector Routing (DSDV)
· Cluster head Gateway Switch Routing (CGSR)
· Wireless Routing Protocol (WRP) On demand Protocols.
· AdHoc OnDemand Distance Vector Routing (AODV)
· Dynamic Source Routing (DSR). Hybrid Protocols
· Zone Routing Protocol.
1.2 Overview of intrusion detection
1.3 Intrusion Detection System
1.3.1 Host based intrusion detection system
1.3.2 Network based intrusion detection system.
1.4 Why we need IDS.
1.5 IDS Techniques.
1.5.1 Anomaly Detection.
1.5.2 Misuse Detection or Signature Detection
1.5.3 Target Monitoring
1.5.4 Stealth Probes..
1.6 Overview of wormhole attacks

Chapter 2. Review of literature

Chapter 3. Present work
3.1 Scope of Study
3.2 Problem Formulation
3.3 Objective

Chapter 4.Research Methodology

Chapter 5. Result and Discussion

Chapter 6. Conclusion and Future works

Chapter 7. References


The rapid proliferation of Mobile ad hoc network has changed the landscape of network security. The recent DOS attacks on major Internet sites have shown us, no open computer network is immune from intrusions. The ad-hoc network is particularly vulnerable due to its features of open medium, dynamic changing topology and cooperative algorithms, lack of centralized monitoring and management point and lack of a clear line of defense. The traditional way of protecting networks with firewalls and encryption software is no longer sufficient and effective.

In this work, an intrusion detection system will be developed for detection and isolation of attacks. I0n this research work, mac layer applications will be used for detecting malicious activities and will focus on the finding of attack sequences in the network. This research work will provide stable and effective attack observations which can be directly applicable to the Real environment for Mobile Ad-hoc Devices.

There are many intrusion detection techniques have been developed on Ad hoc network but have been turned to be inapplicable in this new environment. Here we need to search for new architecture and mechanisms to protect Mobile Ad hoc network. In the above all technique of intrusion detection is applied on the only one layer and that is probably on routing layer. But here we apply this intrusion detection system in the MAC layer for the more security, efficiency and high speed compare to other technique those whose apply in the network layer.


First of all I would sincerely thank to my revered guide and mentor, Mr. Maninder Singh (Assistant Professor, Computer Science and Engineering Department, Lovely Professional University) for his valuable guidance, closely supervising this work over the past four months and helpful suggestions. His valuable advice and support, in spite of their busy schedule have really been an inspiration and driving force for me. He has constantly enriched my raw ideas with his experience and knowledge.

I would also heartily thank Mr. Dalvinder Singh, Head, Computer Science and Engineering Department who providing me lots of terms, technology and devices and providing a different kind of the seminar regarding to my thesis work and always very helpful and constructive.

Words are inadequate to express my heartfelt gratitude to my affectionate parents who have shown so much confidence in me and by whose efforts and blessings I have reached here.

I find it hard to express my grateful to the almighty in words for bestowing upon me his deepest blessings and providing me with the most wonderful opportunity in the form of life of a human being and for the warmth and kindness he has showered upon me by giving me life’s best.

I wish to express heartiest thanks to my friends and colleagues for their support, love and inspiration.

Date: Gondaliya Tapan



illustration not visible in this excerpt


illustration not visible in this excerpt


1.1 Mobile Adhoc Networks

Mobile Ad Hoc Network (MANET) is a whole wireless connectivity through the various nodes constructed by the actions of the network, which has a basically dynamic shape and a limited bandwidth as well as topology is change. Mobile Ad Hoc Network (MANET) is a bunch of two more nodes or devices or terminals with wireless connectivity and networking capability that communicate with each other without any centralized administrator also the wireless nodes can dynamically form a network to exchanging information without using any occurrence of fixed network infrastructure. And it’s an autonomous system in which mobile hosts connected by wireless links are free to be dynamically and some time act as routers at the same time.

There are three types of MANET. It includes Vehicular Ad hoc Networks (VANETs), Intelligent Vehicular Ad hoc Networks (InVANETs) and Internet Based Mobile Ad hock Networks (iMANET). VANETs are used for communication between two or more moving vehicles or between vehicles and fixed roadside equipment. Internet Based Mobile Ad Hoc Networks (iMANET) link mobile nodes and fixed Internet-gateway nodes. Intelligent vehicular ad hoc networks (InVANETs) help vehicles to behave in intelligent manner during vehicle-to-vehicle collisions, accidents, and drunken-driving.

Mobile Adhoc Network has a dynamic nature and is short of centralized stations as monitor stations, the ad hoc networks are vulnerable to various kinds of attacks. Mobile Adhoc network also suffered from vulnerabilities inward from wired communication systems like spoofing, eavesdropping, denial of service, authorization, access control. They also vulnerabilities ensuing from the wireless medium like wormhole, sinkhole, black-hole, sleep deprivation. Ad hoc routing protocols have vulnerabilities that also go ahead to fresh attacks on MANET systems.

1.1.1 History of Mobile Adhoc Networks

Earliest MANETs were called as a packet radio networks PRNET that is sponsored by Defense Advance Research Project Agency (DARPA) in 1970. This packet radio network predated the Internet and was part of inspiration of the original IP suite, after that DARPA experiments built-in the Survivable Radio Network (SURAN) project in 1980s.

illustration not visible in this excerpt

Figure 1.1 PRNET Architecture [6]

In 1990s the advent of inexpensive 802.11 radio cards for personal computer. Current Mobile Adhoc Networks are designed primary for military utility for examples include JTRS (Joint Tactical Radio System) and NTDR (Near-Term Digital Radio).

1.1.2 Overview of Mobile Adhoc Network

Manet is the Self-configuring network of mobile routers and also associated with the hosts connected by wireless links. Mobile Adhoc Network has union forms of random topology; one of the main issues of the mobile Adhoc network is ttopology changes rapidly and unpredictably. Standalone fashion or connected to the larger Internet. MANETs are self contained; they can also be tied to an IP-based global n/w as well as local network it is called Hybrid MANETs. Routes between nodes may potentially contain multiple hops and in first part of the figure nodes act as routers to forward packets for each other or in second figure contains node mobility may cause the routes change.

illustration not visible in this excerpt

Figure 1.2 Mobile Adhoc Nodes in MANET [6]

Mobile Adhoc Network is Suitable for military conflicts, emergency medical situations, and emergency situations like natural or human-induced disasters.

1.1.3 Routing protocols for MANET

Routing Protocol in Mobile Adhoc network is mainly divided in to three parts one is table driven protocols and second one is source initiated on demand driven protocols and last but not least hybrid protocols that both protocol has its own importance and this protocol is also further divided into other protocols.

Table driven protocol it is also known as the proactive protocol. In table driven protocols continuously assess the routes and also attempt to maintain consistent, It also up-to-date routing information from routing table as well when a route is needed. Whenever the n/w topology changes the protocol respond by propagating updates throughout network to maintain a constant view. Example of this type of protocol is DSDV, CGSR, and WRP.

The second protocol of the routing mobile Adhoc network is on demand protocol which is also known as the reactive protocol. This protocol is maintain routes only if needed. Example of this type of protocol is AODV and DSR.

Last but not least the hybrid protocol is the third type of mobile Adhoc network protocol which is a combination of the both protocol on demand and table driven protocols example of this type of protocol is ZRP. Now let we briefly discuss all protocol as under.

illustration not visible in this excerpt

Figure 1.3 Classification of Routing Protocols in MANET [6] Table Driven Protocols

Table driven protocol it is also known as the proactive protocol. In table driven protocols continuously assess the routes and also attempt to maintain consistent, It also up-to-date routing information from routing table as well when a route is needed. Whenever the n/w topology changes the protocol respond by propagating updates throughout network to maintain a constant view. Example of this type of protocol is DSDV, CGSR, and WRP.

- Destination Sequenced Distance Vector (DSDV)

Destination Sequenced Distance Vector is a table driven protocol, it is basically work on the Based on the distributed Bellman-Ford routing algorithm. In this protocol each node maintains the routing table. Mainly in this type of protocol is used for the control the traffic over the network two types of the route updates packet used for maintain the traffic over the network full dump and incremental in incremental packet Only information changed since the last full dump and in the full dump all available routing information. In routing table store the data like sequence number or the source to destination route information.

- Cluster-Head Gateway Switch Routing (CGSR)

CGSR is also the table driven protocol or proactive protocols in this protocol uses DSDV as an underlying protocol and least Cluster Change (LCC) clustering algorithm. Clustering is used as a able to control a group of ad-hoc hosts. In this protocol each node maintain two tables in it one is a cluster member table, containing the cluster head for each destination node and second one is a distance vector-routing table, containing the next hop to the destination

illustration not visible in this excerpt

Figure 1.4Work Flow of Cluster Gateway Switch Routing (CGSR) [6]

One main drawback of this protocol is too frequent cluster head selection can be an overhead and cluster nodes and Gateway can be a bottleneck

- Wireless Routing Protocol (WRP)

WRP is also the proactive table driven protocol main goal of that protocol is maintaining routing information among all other nodes in the adhoc network. Each node contains basically 4 tables distance table, routing table, message retransmission list table or last link cost table. In this protocol link exchanges are propagated by using update messages sent between neighboring nodes, also the hello messages are periodically exchanged between neighbors node. Main problem solving out this protocol is count-to-infinity problem by forcing each node to check predecessor information. Draw backs of that protocol is each node contains a 4 table and store lots of information so used large amount of memory is used and periodic hello message consumes power and bandwidth. On Demand Routing Protocols

The second protocol of the routing mobile Adhoc network is on demand protocol which is also known as the reactive protocol. This protocol is maintain routes only if needed. Example of this type of protocol is AODV and DSR.

- Ad hoc On-demand Distance Vector (AODV)

AODV is a reactive type of protocol which is builds on DSDV algorithm and the improvement is on minimizing the number of required broadcasts by creating routes on through an on-demand. This protocol need the broadcast is used for route request, broadcast not maintaining a complete list of routes. Main Advantages of that protocol is responsive to changes in topology, uses bandwidth efficiently, is scalable as well as ensures loop free routing. And a drawback of that protocol is nodes use the routing caches to reply to route queries. Result: “uncontrolled” replies and repetitive updates in hosts’ cache cannot prorogate the early response so all query messages which are flooded all over the network

- Dynamic Source Routing (DSR)

DSR is another protocol has a reactive type and which is basically working on concept of source routing. Mobile nodes are required to maintain route caches that contain the source routes of which the mobile is aware two mechanisms is used in this protocol Two mechanisms one is Route Maintenance and second one is Route Discovery Route discovery is uses the route request and route reply packets Route maintenance is uses the route error packets and acknowledgments. Main advantages of that protocol is no periodic hello message and fast recovery - cache can store multiple paths to a destination and one drawbacks of that protocol is the packets may be forwarded along stale cached routes Major scalability problem due to the nature of source routing. Hybrid Routing Protocols

Last but not least the hybrid protocol is the third type of mobile Adhoc network protocol which is a combination of the both protocol on demand and table driven protocols example of this type of protocol is ZRP.

· Zone Routing Protocol (ZRP)

Zone base routing protocol is the mixture of the above both of the protocols proactive as well as active. In this protocol proactively maintains routes within a local region or it is also called routing zone. All nodes within hop distance at most d from a node X are said to be in the routing zone of node X. All nodes at hop distance exactly d are said to be peripheral nodes of node X’s routing zone. Also in ZRP a globally reactive route query/reply mechanism available.ZRP basically consist 3 protocols Intrazone Routing Protocol (IARP), Interzone Routing Protocol (IERP), Bordercast Resolution Protocol (BRP)

illustration not visible in this excerpt

Figure 1.5 Zone Base Routing [6]

1.2 Overview about the IDS

Now a Days Hacking and intrusion incidents are increasing year by year as technology grow up. Unfortunately in today’s inter-connected e-commerce world there is no hiding place: you can be found through a wide variety of means: DNS, Name Server Lookup, NSlookup, Newsgroups, web site trawling, e-mail properties and so on.

Whether the motivation is financial gain, intellectual challenge, espionage, political, or simply trouble-making, you may be exposed to a variety of intruder threats. Obviously it is just common sense to guard against this, but business imperative.

illustration not visible in this excerpt

Figure 1.6 IDS Activity

IDS do exactly as the name suggests: they detect possible intrusions. More specifically, IDS tools aim to detect computer attacks and/or computer misuse, and to alert the proper individuals upon detection. An IDS installed on a network provides much the same purpose as a burglar alarm system installed in a house. Through various methods, both detect when an intruder/attacker/burglar is present, and both subsequently issue some type of warning or alert. Also IDSs may be used in conjunction with firewalls, which aim to regulate and control the flow of information into and out of a network; the two security tools should not be considered the same thing. Using the previous example, firewalls can be thought of as a fence or a security guard placed in front of a house. They protect a network and attempt to prevent intrusions, while IDS tools detect whether or not the network is under attack or has, in fact, been breached. IDS tools thus form an integral part of a thorough and complete security system. They don’t fully guarantee security, but when used with security policy, vulnerability assessments, data encryption, user authentication, access control, and firewalls, they can greatly enhance network safety.

IDS have a 3 security functions: they 1.monitor, 2.detect, and 3.respond to unauthorized activity by company insiders and outsider intrusion. Intrusion detection systems use policies to define certain events that, if detected will issue an alert. In other words, if a particular event is considered to constitute a security incident, an alert will be issued if that event is detected. Certain intrusion detection systems have the capability of sending out alerts, so that the administrator of the IDS will receive a notification of a possible security incident in the form of a page, email, or SNMP trap. Many intrusion detection systems not only recognize a particular incident and issue an appropriate alert, they also respond automatically to the event. Such a response might include logging off a user, disabling a user account, and launching of scripts.

1.3 Intrusion Detection System

Intrusion detection system is a collection of techniques that are basically used to detect suspicious activity both at the network and host level. Intrusion detection systems fall into two basic categories: signature-based intrusion detection systems and anomaly detection systems. Intruders have signatures, like computer viruses, that can be detected using software. You try to find data packets that contain any known intrusion-related signatures or anomalies related to Internet protocols. Based upon a set of signatures and rules, the detection system is able to find and log suspicious activity and generate alerts. Anomaly-based intrusion detection usually depends on packet anomalies present in protocol header parts. In some cases these methods produce better results compared to signature-based IDS. Usually an intrusion detection system captures data from the network and applies its rules to that data or detects anomalies in it.

Basically the intrusion detection is the technique of monitoring networks for unauthorized entrance, activity, or file modification in network. IDS can also be used to monitor network traffic, thereby detecting if a system is being targeted by a network attack such as a Dos attack. There are two basic types of intrusion detection: HIDS and NIDS. Each has a distinct approach to monitoring and securing data, and each has distinct advantages and disadvantages. In short, host-based IDSs examine data held on individual computers that serve as hosts, while network-based IDSs examine data exchanged between computers.

illustration not visible in this excerpt

Figure 1.7 Types of the IDS

1.3.1 Host-Based IDS (HIDS)

HIDS were the first type of IDS to be developed and implemented. These types of systems collect & analyze data that originate on a computer that hosts a service, such as a Web server. Once this data is aggregated for a given system, it can either be analyzed local or sent to a separate/central analysis machine. Example of HIDS is programs that operate on a system and receive application or operating system audit logs. These programs are broadly effective for detecting insider abuses. On the trusted network systems them, they are close to the network’s authenticated users. If one of these users attempts unauthorized activity, host-based systems usually detect and collect the most pertinent information in the quickest possible manner. In addition to detecting unauthorized insider activity, host-based systems are also effective at detecting unauthorized file modification.

On the down side, host-based systems can get unwieldy. With several thousand possible endpoints on a large network, collecting and aggregating separate specific computer information for each individual machine may prove inefficient and ineffective. In addition, if an intruder disables the data collection on any given computer, the IDS on that machine will be rendered useless because there is no backup.

Possible host-based IDS implementations include Windows NT/2000 Security Event Logs, RDMS audit sources, Enterprise Management systems audit data (such as Tivoli), and UNIX Sys log in their raw forms or in their secure forms such as Solaris' BSM.

1.3.2 Network-Based IDS (NIDS)

As Opposite side to monitoring the activities that take place on a particular network, NIDS analyzes data packets that travel over the actual network. These packets are examined and sometimes compared with empirical data to verify their nature: malicious or benign. Because they are responsible for monitoring a network, rather than a single host, NIDS tend to be more distributed than host-based IDS. Software, or appliance hardware in some cases, resides in one or more systems connected to a network, and are used to analyze data such as network packets. Instead of analyzing information that originates and resides on a computer, network-based IDS uses techniques like “packet-sniffing” to pull data from TCP/IP or other protocol packets traveling along the network. This surveillance of the connections between computers makes network-based IDS great at detecting access attempts from outside the trusted network. In general, network-based systems are best at detecting the following activities:

- Unauthorized outsider access: When an unauthorized user logs in successfully, or attempts to log in, they are best tracked with host-based IDS. However, detecting the unauthorized user before their log on attempt is best accomplished with network-based IDS.
- Bandwidth theft/denial of service: These attacks from outside the network single out network resources for abuse or overload. The packets that initiate/carry these attacks can best be noticed with use of network-based IDS.
- Some possible downsides to network-based IDS: include encrypted packet payloads and high-speed networks, both of which inhibit the effectiveness of packet interception and deter packet interpretation. Examples of network-based IDS include Shadow, Snort! Dragon, NFR, Real Secure, and Net Prowler.


Excerpt out of 50 pages


Intrusion Detection System in mobile ad hoc network in MAC layer
Lovely Professional University, Punjab  (School Of Computer Science and Engineering)
Catalog Number
ISBN (eBook)
ISBN (Book)
File size
1995 KB
intrusion, detection, system, Intrusion Detection System in mobile ad hoc network in MAC layer
Quote paper
Tapan Gondaliya (Author), 2013, Intrusion Detection System in mobile ad hoc network in MAC layer, Munich, GRIN Verlag,


  • No comments yet.
Read the ebook
Title: Intrusion Detection System in mobile ad hoc network in MAC layer

Upload papers

Your term paper / thesis:

- Publication as eBook and book
- High royalties for the sales
- Completely free - with ISBN
- It only takes five minutes
- Every paper finds readers

Publish now - it's free