Download ISSN (Print): 2319-2526, Volume -3, Issue -1, 2014

International Journal on Advanced Computer Theory and Engineering (IJACTE)
________________________________________________________________________
ARTIFICIAL IMMUNE SYSTEM FOR ROUTING PROTOCOL IN
MANET
Vaibhav Khatavkar, Deepika Sirsath, Ketaki Fadnavis, Aishwarya Vora
1
Assistant Professor,
2,3,4
B.Tech Computer, Students (Research Scholar), Dept. of Comp. Engg. and Inf. Technology
College of Engineering, Shivajinagar, Pune, MS, India
Email : [email protected], 2 [email protected],
3
[email protected], [email protected]
Keywords- Mobile Ad-hoc Network, Intrusion, Detection,
Artificial Immune System.
Abstract. A mobile ad hoc network (MANET) is vulnerable
to routing misbehaviour, due to faulty or malicious nodes.
Misbehaviour detection systems are designed to remove
this vulnerability. Our system uses the concepts of
Artificial Intelligence (AI) and Human Immune System
(HIS) to detect misbehaviour in routing protocol. In our
system once a node has been attacked it will not only detect
it but also it will tell its neighbour about the attack thereby
protecting the entire network against the attack. The
concept is similar to what happens in the human body once
we suffer from a particular disease we develop immunity
against that disease.
I. INTRODUCTION:
Artificial Immune System (AIS) uses the concepts of AI.
AIS was inspired by the HIS which is robust,
decentralized, error tolerant, and adaptive [1].
In this section, we present AIS features. In the papers
[2],[3] this topic has been covered and here we
summarise that work in Figure1.
Figure 1 AIS Features
Routing Protocols:
Kim and Bentley presented three properties of IDSs that
satisfy the seven requirements stated above [2],[4].
Another piece of work by Somayaji et al. [3] also
identifies twelve immune features that are desirable for
an effective IDS.
Routing protocols in MANET are classified as proactive
and reactive protocol which are discussed in [5],[6] .
Figure below depicts the same.
________________________________________________________________________
ISSN (Print): 2319-2526, Volume -3, Issue -1, 2014
7
International Journal on Advanced Computer Theory and Engineering (IJACTE)
________________________________________________________________________
Figure 2: Routing Protocols
The ad hoc networks are vulnerable to various kinds of
attacks
because
of
dynamic,
distributed
infrastructureless nature of MANETs, and lack of
centralized authority [7]. The various routing attacks in
MANET are Wormhole Attack, Black Hole attack,
routing table poisoning attack, Flooding Attack [8],
Invisible node attack [9], node isolation attack [10].
These attacks are explained by Sudhir et al [7].
properties in a single framework in order to develop a
robust and intelligent detection system. The proposed
system has some unique features compared to the
existing agent-based detection systems [14],[15]. They
include simultaneous multi-level monitoring, detection
of known and unknown intrusions, and hierarchical
sense and response mechanisms. The developed system
will perform real-time monitoring, analyzing, and
generating appropriate response to intrusive activities. It
is designed to be flexible and extendible to meet the
specific security needs and preferences of an
organization.
II. RELATED WORK:
Hofmeyer and Forrest use an AIS for intrusion detection
in wired local area networks. Their work is based on the
negative selection part of the self-nonself model and
some form of danger signal [11],[12]. TCP connections
play the role of self and nonself cells. One connection is
represented by a triplet encoding sender’s destination
address, receiver’s destination address and receiver’s
port number. A detector is a bit sequence of the same
length as the triplet. A detector matches a triplet if both
have M contiguous bits equal, where M is a fixed system
parameter. Candidate detectors are generated randomly;
in a learning phase, detectors that match any correct (i.e.
self) triplets are eliminated. This is done offline, by
presenting only correct TCP connections. Noneliminated detectors have a finite lifetime and die unless
they match a non-self triplet, as in the IS. The danger
signal is also used: it is sent by humans as confirmation
in case of potential detection. This is a drawback, since
human intervention is required to eliminate false
positives, but it allows the system to learn changes in the
self. With the terminology of statistical pattern
classification, this use of the danger signal can be
viewed as some form of supervised training.
Kim and Bentley [16] show that straightforward
mappings have computational problems and lead to poor
performance, and they introduce a more efficient
representation of self and nonself than in [11]. They
show the computational weakness of negative selection
and add clonal selection to address this problem [16]. In
their subsequent papers, they examine clonal selection
with negative selection as an operator [17], and
dynamical clonal selection [18], showing how different
parameters affect detection results.
Castro and Timmis in their [19] paper had discussed
relevant immune theories for pattern recognition and
introduced their computational counterparts. They have
also described how to model pattern recognition in
artificial immune systems. They have given a survey of
AIS for pattern recognition and the use of AIS with the
use of Artificial Neural Network (ANN) when applied to
pattern recognition tasks.
But all the above work is done in wired network and we
are designing similar one for wireless network.
Khatavkar and Sawant had designed similar kind of
system in wired network [20].
System proposed by Dipankar Dasgupta in [13] attempts
to integrate several potentially useful immunological
________________________________________________________________________
ISSN (Print): 2319-2526, Volume -3, Issue -1, 2014
8
International Journal on Advanced Computer Theory and Engineering (IJACTE)
________________________________________________________________________
anomalies. It regards the profiled normal patterns as
‘self’ patterns. The second phase, it generates a number
of random patterns that are compared to each self pattern
defined in the first phase. If any randomly generated
pattern matches a self pattern, this pattern fails to
become a detector and thus it is removed. Otherwise, it
becomes a ‘detector’ pattern and monitors subsequent
profiled patterns of the monitored system. During the
monitoring stage, if a ‘detector’ pattern matches any
newly profiled pattern, it is then considered that new
anomaly must have occurred in the monitored system
[12].
III. PROPOSED ALGORITHM:
We are going to implement AIS in MANET. For this we
are using Negative Selection Algorithm (NSA) proposed
by Forrest et al. in [21],[22]. The same was used by
Khatavkar and Sawant [20],[23].
Negative selection algorithm (NSA):
In this algorithm, a mechanism used by the immune
system to train the T-cells to recognize antigens (nonself) and to prevent them from recognizing bodies own
cells (self)[24].
This algorithm consists of three phases: defining self,
generating detectors and monitoring the occurrence of
Figure 3 Training Phase
If matching occurs then there is no intrusion but if
As shown in Figure 3 routing information for each node
matching does not occur then there is an intrusion. This
in the network is collected and given to negative
phase is called as detector phase as it detects intrusion.
selection algorithm.
When there is no intrusion, there is no need to take any
action, but when there is intrusion, at that time alarm is
Output of this gives us self set. This is called as training
generated to inform other nodes about the attack in the
phase. Then routing information and self set contents are
network. In this way whole network becomes immune
given to NSA.
against the attack.
Output of this has two possibilities depending upon
whether routing information and self set matches or not.
Figure 4 Detector phase
like linked lists, trees etc. Zhu Tieying used bloom filter
in IDS. The bloom filters were used to store IP addresses
of computer in local network [25].
IV. IMPLEMENTATION
Recent research of anomaly detection based on negative
selection algorithm of artificial immune system is
promising, but they all have the problems of too much
overhead in time and space, the large number of
detectors, low detection efficiency. The improved
negative selection algorithm based on Bloom Filter is
proposed in figure 9 which suggests use of bloom filter
to store antibodies [24].
Bloom filter is an array of size n, with all elements 0
when it is empty. There must be k different hash
functions defined such that each hashes some set
element to one of the n elements in array with uniform
distribution.(reference wiki bloom filter).To add an
element, feed it to each of the k hash functions to get k
array positions. Now all these elements are set to 1[26].
Many IDS are developed using various data mining
techniques [24].Most of the systems are signature-based
IDSs which make use of IP address. The signature-based
IDSs stores IP address either in file or in data structures
Bloom filters are used by Dharmapurikar et al. in packet
classification [27]. The Bloom Filters can be used in
IDS also which are used by Zhu Tieying et al. [25].
________________________________________________________________________
ISSN (Print): 2319-2526, Volume -3, Issue -1, 2014
9
International Journal on Advanced Computer Theory and Engineering (IJACTE)
________________________________________________________________________
Figure 5: Bloom Filter when IP address is stored
Figure 6: Bloom Filter when IP address is not stored
Counting Bloom Filter is an improved version of Bloom
Filter. Instead of just setting elements in array, it
increments the value present in the Bloom Filter for
corresponding hashed index elements.
The IP address is stored in bloom filter. Storing IP
address in Bloom Filter means hashing the IP address
(Si) and set corresponding elements in array to 1. Figure
6 illustrates the same. For searching IP address in bloom
filter, first IP is hashed and corresponding element in
array are checked whether they all are 1.If all of the
elements are 1 then the IP address is present in the
Bloom filter.
Figure 7 illustrates the use of counting Bloom Filter for
inserting an IP address while Figure 8 illustrates use of
counting bloom filter for searching an IP address.
Figure 7: Use of Counting Bloom Filter for
Inserting IP address
Figure 8: Use of Counting Bloom Filter for
searching IP address
After introducing Bloom filter in Negative Selection
Algorithm, the complexity of antibody generation comes
to be O(n *m) where n is total number of antibodies and
m is length of antibody and , while in enumerated
method, its ((
)). In case of false alerts,
negative false alerts are not generated and positive false
alerts depend on the hashing function used in bloom
filter. Its main goal is to improve detection efficiency. It
got the hash of self collection based on Bloom Filter and
abstract keywords as detector, to match with the pending
detection. It can reduce the overhead of antibody storage
and cut down the matching scale. Although it has
relatively high error rate because of potential of hashing
collision, which can be further reduced by carefully
selection of hash function [25][28].
Figure 9: NSA and Bloom filter
________________________________________________________________________
ISSN (Print): 2319-2526, Volume -3, Issue -1, 2014
10
International Journal on Advanced Computer Theory and Engineering (IJACTE)
________________________________________________________________________
same packet more than thrice then the system considered
being under attack and the information is then passed to
the neighbor in the network.
V. RESULTS
We first set up a wireless topology consisting of finite
number of nodes. The nodes are exchanging the HELLO
packets periodically. All this setup is done in the
network simulator NS2. So that a trace file is generated
consisting of the communication details of all the nodes
in the network. The following figure shows the wireless
topology in NS2.
In NS2 we observed the normal and anomalous
behaviour for various nodes. We collected the trace files
for normal and anomalous behaviour. After collecting
trace files of normal behaviour in NS2 we built the self
set using NSA which is shown in figure 3, then this self
set and traces of anomalous behaviour (in NS2) is given
as input to NSA which identifies it as anomalous or
normal.
Then we separated the trace file for each node. Then we
gave the trace file to bloom filter and found out whether
the system is under attack. If a node is receiving the
Figure 10: Simulation in NS2
The following figures show the graphs of number of
nodes and duration against the accuracy of our system.
The detection rate is inversely proportional to the
number of nodes and the time. If we run this in normal
real environment, according to results of simulation, the
detection rate is 98% at the beginning but it decreases to
96% as number of nodes increases (because of false
rate).We have tested this for various nodes. Thus the
detection rate decreases with time and increase in
number of nodes.
Figure 11: Number of nodes vs Accuracy
________________________________________________________________________
ISSN (Print): 2319-2526, Volume -3, Issue -1, 2014
11
International Journal on Advanced Computer Theory and Engineering (IJACTE)
________________________________________________________________________
Of European Congress on Intelligent Techniques
and Soft Computing (EUFIT '99)”, Aachen,
Germany, September 1999.
[5]
Dr Chandra Shekar Reddy Putta, Dr K.Bhanu
Prasad , Dilli Ravilla, Murali Nath R.S, M.L.Ravi
Chandra, “Performance of Ad hoc Network
Routing Protocols in IEEE 802.11”, Int’l Conf.
on Computer & Communication Technology
2010
[6]
Perkins, C. E., Royer, E. M.: “Ad-hoc OnDemand Distance VectorRouting”, February
1999, Proc. 2nd[20]. RFC 3626 (OLSR)
Optimized Link State Routing.IEEE Workshop
on Mobile Computer Systems and Applications,
pp. 90-100
[7]
Sudhir Agrawal, Sanjeev Jain, Sanjeev Sharma,
“A Survey of Routing Attacks and Security
Measures in Mobile Ad-Hoc Networks” ,Journal
of Computing, volume 3, issue 1, January 2011,
ISSN 2151-9617.
[8]
P.Yi, Z.Dai, S.Zhang, Y.Zhong., “A New
Routing Attack in Mobile Ad Hoc Networks”
,International Journal of Information Technology,
vol. 11, no. 2, 2005.
[9]
T.R.Andel and A.Yasinsac, “The Invisible Node
Attack Revisited”, Proceedings of IEEE
SoutheastCon 2007, pp. 686 – 691, March 2007.
[10]
B. Kannhavong, H. Nakayama, N.Kato,
Y.Nemoto and A.Jamalipour, “Analysis of the
Node Isolation Attack Against OLSR-based
Mobile Ad Hoc Networks”, Proceedings of the
Seventh IEEE International Symposium on
Computer Networks (ISCN' 06), pp.30-35, June
2006.
[11]
S. Forrest, A. S. Perelson, L. Allen, and R.
Cherukuri, “ Self-nonself discrimination in a
computer” , In Proceedings of the 1994 IEEE
Symposium on Security and Privacy, page 202.
IEEE Computer Society, 1994.
[12]
Yao-Guang We1 De-Ling Zheng, Ying Wang,
“Research of a negative selection algorithm and
its application
in anomaly detection”.
Proceedings of 2004 International Conference
on Machine Learning and Cybernetics, 2004.
(Volume:5 ) 26-29 Aug. 2004.
[13]
D.Dasgupta, “Immune-based intrusion detection
system: a general framework”, in Proceedings of
the 22nd national information systems security
conference (NISSC), 1999
[14]
J. S. Balasubramaniyan, J. O. G. Fernandez, D.
Isacoff, E. Spafford, and D. Zamboni , “An
Architecture for Intrusion Detection using
Autonomous Agents” , COAST Technical report
98/5, Purdue University, 1998.
Figure 12: Duration vs Accuracy
CONCLUSION:
Absolute security is an abstract concept it does not exist
anywhere. All networks are vulnerable to insider or
outsider attacks, and eavesdropping. Regardless of
whether the network is wired or wirelesses, steps can
and should always be taken to preserve network security
and integrity.
We have said that any secure network will have
vulnerabilities that an adversary could exploit. This is
especially true for wireless ad-hoc networks. However
new techniques must be developed to make intrusion
detection work better for the wireless networks.
We have shown that in a mobile ad-hoc network, it is
not only necessary to ensure security at the individual
node but to make the entire network immune against the
various attacks that exist. Currently, the research is
taking place in developing new architecture for wireless
networks for better security.
Our intrusion detection system proposed here detects
intrusion by centralized collection of relevant
information from the nodes. And our main aim is to
make system behave like a human immune system,
which once on detecting attack will not be affected by
similar kind of attack in future.
BIBLIOGRAPHY:
[1]
Amira Sayed A. Aziz, Mostafa A. Salama, Aboul
ella Hassanien, Sanaa El-Ola Hanafi, “Artificial
Immune System Inspired Intrusion Detection
System Using Genetic Algorithm”, October 11,
2012
[2]
J. W. Kim ,“Integrating Artificial Immune
Algorithms for Intrusion Detection” ,PhD thesis,
University College London, 2002.
[3]
A. Somayaji, S. Hofmeyr, and S. Forrest
,“Principles of a computer immune system”,In
Proc. of New Security Workshop, pages 75-82,
Langdale, Cumbria, 1997.
[4]
J. Kim and P. Bentley, “The human immune
system and network intrusion detection. In Proc.
________________________________________________________________________
ISSN (Print): 2319-2526, Volume -3, Issue -1, 2014
12
International Journal on Advanced Computer Theory and Engineering (IJACTE)
________________________________________________________________________
[15]
Mark Crosbie and Eugene Spafford, “Defending
a computer system using autonomous agents”, In
Proceedings of the 18th National Information
Systems Security Conference, October 1995.
[16]
J. Kim and P. J. Bentley, “Evaluating negative
selection in an artificial immune system for
network intrusion detection,” in Proc. Genetic
and
Evolutionary
Computation
Conf.
(GECCO’01), San Francisco, CA, Jul. 7–11, pp.
1330–1337
[17]
S. Hofmeyr and S. Forrest, “Architecture for an
artificial
immune
system”,
Evolutionary
Computation,7(1):45-68, 2000.
[23]
V. K. Khatavkar, “Bio inspired intrusion
detection system for LAN”, Bio Engineering
Sciences Present Status and Future Perspective
(NCBFS- 13)
[24]
D. Dasgupta, Z. Ji, F. Gnnzalez, “Artificial
Immune System (AIS) Research in the Last Five
Years”. The 2003 Congress on Evolutionary
Computation(CEC ’03) (Volume:1 )Dec. 2003
J. Kim and P. Bentley, “The artificial immune
system for network intrusion detection: An
investigation of clonal selection with negative
selection operator,” Proc. Cong. Evolutionary
Computation (CEC’01), pp. 1244–1252, May
27–30.
[18]
J. Kim and P. Bentley , “Toward an artificial
immune system for network intrusion
detection:An investigation of dynamic clonal
selection,”
Proc.
Congr.
Evolutionary
Computation (CEC’02), pp. 1015–1020, May
12–17, 2002.
[19]
L. N. de Castro and J. Timmis, “Artificial
Immune Systems: A New Computational
Intelligence Approach”, Berlin, Germany:
Springer-Verlag, 2002.
[20]
V.K. Khatavkar, Suraj Sawant, “An Adaptive
LAN IDS using improved Negative Selection
Algorithm based on Counting Bloom Filter”,
International Conference on Computational
Intelligence, 2011.
[21]
[22]
[25] Dharmapurikar,
Sarang;Song,
Haoyu;
Turner,Jonathan;Lockwood,John, “Fast packet
classification using Bloom Filters”, Proceddings
of 2006 ACM/IEEE Symposium on Architecture
for Networking and Communication Systems.
[26] Vaibhav Khatavkar, Suraj Sawant “An Adaptive
LAN IDS using improved Negative Selection
Algorithm
based
on
Counting
Bloom
Filter”,Second International Conference on
Computational Intelligence Applications 2011.
[27]
Joseph S. Sherif, Tommy G. Dearmond ,
“Intrusion Detection : Systems and Models”,
Proceedings of the 11th IEEE International
Workshops
on
Enabling
Technologies:
Infrastructure for Collaborative Enterprises ,
2002
[28]
Zhu Tieying Ma Zhixing Liu Shaojun Zhou
Zhiguo, “Improved Negative Selection Algorithm
Based on Bloom Filter”, Proceddings of the 2009
International Conferenceon E-Business and
Information System Security.
S. Hofmeyr, “An immunological model of
distributed detection and its application to
computer security”, PhD thesis, University Of
New Mexico, 1999.

________________________________________________________________________
ISSN (Print): 2319-2526, Volume -3, Issue -1, 2014
13