Skip to main page content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Access keys NCBI Homepage MyNCBI Homepage Main Content Main Navigation
. 2018 Feb 22;18(2):651.
doi: 10.3390/s18020651.

A Cross-Layer, Anomaly-Based IDS for WSN and MANET

Amar Amouri  1 Salvatore D Morgera  2 Mohamed A Bencherif  3 Raju Manthena  4
Affiliations

A Cross-Layer, Anomaly-Based IDS for WSN and MANET

Amar Amouri et al. Sensors (Basel). .

Abstract

Intrusion detection system (IDS) design for mobile adhoc networks (MANET) is a crucial component for maintaining the integrity of the network. The need for rapid deployment of IDS capability with minimal data availability for training and testing is an important requirement of such systems, especially for MANETs deployed in highly dynamic scenarios, such as battlefields. This work proposes a two-level detection scheme for detecting malicious nodes in MANETs. The first level deploys dedicated sniffers working in promiscuous mode. Each sniffer utilizes a decision-tree-based classifier that generates quantities which we refer to as correctly classified instances (CCIs) every reporting time. In the second level, the CCIs are sent to an algorithmically run supernode that calculates quantities, which we refer to as the accumulated measure of fluctuation (AMoF) of the received CCIs for each node under test (NUT). A key concept that is used in this work is that the variability of the smaller size population which represents the number of malicious nodes in the network is greater than the variance of the larger size population which represents the number of normal nodes in the network. A linear regression process is then performed in parallel with the calculation of the AMoF for fitting purposes and to set a proper threshold based on the slope of the fitted lines. As a result, the malicious nodes are efficiently and effectively separated from the normal nodes. The proposed scheme is tested for various node velocities and power levels and shows promising detection performance even at low-power levels. The results presented also apply to wireless sensor networks (WSN) and represent a novel IDS scheme for such networks.

Keywords: MANET; WSN; accumulated measure of fluctuation (AMoF); decision trees; finite sample size; intrusion detection; linear regression.

PubMed Disclaimer

Conflict of interest statement

The authors declare no conflict of interest.

Figures

Figure 1
Figure 1
Simplified architecture of the proposed intrusion detection system (IDS).
Figure 2
Figure 2
Data fitting for the CCIs of sensor 5: (a) Data fitting for three distributions, extreme value (EV), Gamma, and Nakagami in scenario NS1P3 for node under test (NUT) 13; (b) Data fitting for three distributions, EV, Gamma, and Nakagami in scenario NS1P3 for NUT 19.
Figure 3
Figure 3
Data fitting for the CCIs of sensor 5: (a) Data fitting for three distributions, EV, Gamma, and Nakagami in scenario NS1P3 for NUT 13; (b) Data fitting for three distributions, EV, Gamma, and Nakagami in scenario NS15P7 for NUT 19.
Figure 4
Figure 4
Data fitting for the CCIs of sensor 5: (a) Data fitting for three distributions, EV, Gamma, and Nakagami in scenario NS5P7 for NUT 13; (b) Data fitting for three distributions, EV, Gamma, and Nakagami in scenario NS5P7 for NUT 19.
Figure 5
Figure 5
A two stage cross layer IDS.
Figure 6
Figure 6
The AMoF for different nodes and the fitted slope for those nodes for scenario NS1P7 (Tr = 50 s, Ts = 5 s): (a) The AMoF for different TNs; (b) The fitted slope, and its confidence for different NUTs.
Figure 7
Figure 7
The AMoF for different nodes and the fitted slope for those nodes for scenario NS1P7 (Tr = 100 s, Ts = 10 s): (a) The AMoF for different NUTs; (b) The fitted slope, and its confidence for different NUTs.
Figure 8
Figure 8
The AMoF for different nodes and the fitted slope for those nodes for scenario NS15P3 (Tr = 100 s, Ts = 5 s): (a) The AMoF for different NUTs; (b) The fitted slope, and its confidence for different NUTs.
See this image and copyright information in PMC

References

    1. Raudys S.J., Jain A.K. Small Sample Size Effects in Statistical Pattern Recognition: Recommendations for Practitioners. IEEE Trans. Pattern Anal. Mach. Intell. 1991;13:252–264. doi: 10.1109/34.75512. - DOI
    1. Wang B., Zheng Y., Lou W., Hou Y.T. DDoS attack protection in the era of cloud computing and software-defined networking. Comput. Netw. 2015;81:308–319.
    1. Butun I., Morgera S.D., Sankar R. A survey of intrusion detection systems in wireless sensor networks. IEEE Commun. Surv. Tutor. 2014;16:266–282. doi: 10.1109/SURV.2013.050113.00191. - DOI
    1. Sinclair C., Pierce L., Matzner S. An application of machine learning to network intrusion detection; Proceedings of the 15th Annual Computer Security Applications Conference (ACSAC’99); Washington, DC, USA. 6–10 December 1999; pp. 371–377.
    1. Lee W., Stolfo S.J. A framework for constructing features and models for intrusion detection systems. ACM Trans. Inf. Syst. Secur. (TiSSEC) 2000;3:227–261. doi: 10.1145/382912.382914. - DOI

LinkOut - more resources