Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
International Journal on Advanced Computer Theory and Engineering (IJACTE) ________________________________________________________________________ ARTIFICIAL IMMUNE SYSTEM FOR ROUTING PROTOCOL IN MANET Vaibhav Khatavkar, Deepika Sirsath, Ketaki Fadnavis, Aishwarya Vora 1 Assistant Professor, 2,3,4 B.Tech Computer, Students (Research Scholar), Dept. of Comp. Engg. and Inf. Technology College of Engineering, Shivajinagar, Pune, MS, India Email : [email protected], 2 [email protected], 3 [email protected], [email protected] Keywords- Mobile Ad-hoc Network, Intrusion, Detection, Artificial Immune System. Abstract. A mobile ad hoc network (MANET) is vulnerable to routing misbehaviour, due to faulty or malicious nodes. Misbehaviour detection systems are designed to remove this vulnerability. Our system uses the concepts of Artificial Intelligence (AI) and Human Immune System (HIS) to detect misbehaviour in routing protocol. In our system once a node has been attacked it will not only detect it but also it will tell its neighbour about the attack thereby protecting the entire network against the attack. The concept is similar to what happens in the human body once we suffer from a particular disease we develop immunity against that disease. I. INTRODUCTION: Artificial Immune System (AIS) uses the concepts of AI. AIS was inspired by the HIS which is robust, decentralized, error tolerant, and adaptive [1]. In this section, we present AIS features. In the papers [2],[3] this topic has been covered and here we summarise that work in Figure1. Figure 1 AIS Features Routing Protocols: Kim and Bentley presented three properties of IDSs that satisfy the seven requirements stated above [2],[4]. Another piece of work by Somayaji et al. [3] also identifies twelve immune features that are desirable for an effective IDS. Routing protocols in MANET are classified as proactive and reactive protocol which are discussed in [5],[6] . Figure below depicts the same. ________________________________________________________________________ ISSN (Print): 2319-2526, Volume -3, Issue -1, 2014 7 International Journal on Advanced Computer Theory and Engineering (IJACTE) ________________________________________________________________________ Figure 2: Routing Protocols The ad hoc networks are vulnerable to various kinds of attacks because of dynamic, distributed infrastructureless nature of MANETs, and lack of centralized authority [7]. The various routing attacks in MANET are Wormhole Attack, Black Hole attack, routing table poisoning attack, Flooding Attack [8], Invisible node attack [9], node isolation attack [10]. These attacks are explained by Sudhir et al [7]. properties in a single framework in order to develop a robust and intelligent detection system. The proposed system has some unique features compared to the existing agent-based detection systems [14],[15]. They include simultaneous multi-level monitoring, detection of known and unknown intrusions, and hierarchical sense and response mechanisms. The developed system will perform real-time monitoring, analyzing, and generating appropriate response to intrusive activities. It is designed to be flexible and extendible to meet the specific security needs and preferences of an organization. II. RELATED WORK: Hofmeyer and Forrest use an AIS for intrusion detection in wired local area networks. Their work is based on the negative selection part of the self-nonself model and some form of danger signal [11],[12]. TCP connections play the role of self and nonself cells. One connection is represented by a triplet encoding sender’s destination address, receiver’s destination address and receiver’s port number. A detector is a bit sequence of the same length as the triplet. A detector matches a triplet if both have M contiguous bits equal, where M is a fixed system parameter. Candidate detectors are generated randomly; in a learning phase, detectors that match any correct (i.e. self) triplets are eliminated. This is done offline, by presenting only correct TCP connections. Noneliminated detectors have a finite lifetime and die unless they match a non-self triplet, as in the IS. The danger signal is also used: it is sent by humans as confirmation in case of potential detection. This is a drawback, since human intervention is required to eliminate false positives, but it allows the system to learn changes in the self. With the terminology of statistical pattern classification, this use of the danger signal can be viewed as some form of supervised training. Kim and Bentley [16] show that straightforward mappings have computational problems and lead to poor performance, and they introduce a more efficient representation of self and nonself than in [11]. They show the computational weakness of negative selection and add clonal selection to address this problem [16]. In their subsequent papers, they examine clonal selection with negative selection as an operator [17], and dynamical clonal selection [18], showing how different parameters affect detection results. Castro and Timmis in their [19] paper had discussed relevant immune theories for pattern recognition and introduced their computational counterparts. They have also described how to model pattern recognition in artificial immune systems. They have given a survey of AIS for pattern recognition and the use of AIS with the use of Artificial Neural Network (ANN) when applied to pattern recognition tasks. But all the above work is done in wired network and we are designing similar one for wireless network. Khatavkar and Sawant had designed similar kind of system in wired network [20]. System proposed by Dipankar Dasgupta in [13] attempts to integrate several potentially useful immunological ________________________________________________________________________ ISSN (Print): 2319-2526, Volume -3, Issue -1, 2014 8 International Journal on Advanced Computer Theory and Engineering (IJACTE) ________________________________________________________________________ anomalies. It regards the profiled normal patterns as ‘self’ patterns. The second phase, it generates a number of random patterns that are compared to each self pattern defined in the first phase. If any randomly generated pattern matches a self pattern, this pattern fails to become a detector and thus it is removed. Otherwise, it becomes a ‘detector’ pattern and monitors subsequent profiled patterns of the monitored system. During the monitoring stage, if a ‘detector’ pattern matches any newly profiled pattern, it is then considered that new anomaly must have occurred in the monitored system [12]. III. PROPOSED ALGORITHM: We are going to implement AIS in MANET. For this we are using Negative Selection Algorithm (NSA) proposed by Forrest et al. in [21],[22]. The same was used by Khatavkar and Sawant [20],[23]. Negative selection algorithm (NSA): In this algorithm, a mechanism used by the immune system to train the T-cells to recognize antigens (nonself) and to prevent them from recognizing bodies own cells (self)[24]. This algorithm consists of three phases: defining self, generating detectors and monitoring the occurrence of Figure 3 Training Phase If matching occurs then there is no intrusion but if As shown in Figure 3 routing information for each node matching does not occur then there is an intrusion. This in the network is collected and given to negative phase is called as detector phase as it detects intrusion. selection algorithm. When there is no intrusion, there is no need to take any action, but when there is intrusion, at that time alarm is Output of this gives us self set. This is called as training generated to inform other nodes about the attack in the phase. Then routing information and self set contents are network. In this way whole network becomes immune given to NSA. against the attack. Output of this has two possibilities depending upon whether routing information and self set matches or not. Figure 4 Detector phase like linked lists, trees etc. Zhu Tieying used bloom filter in IDS. The bloom filters were used to store IP addresses of computer in local network [25]. IV. IMPLEMENTATION Recent research of anomaly detection based on negative selection algorithm of artificial immune system is promising, but they all have the problems of too much overhead in time and space, the large number of detectors, low detection efficiency. The improved negative selection algorithm based on Bloom Filter is proposed in figure 9 which suggests use of bloom filter to store antibodies [24]. Bloom filter is an array of size n, with all elements 0 when it is empty. There must be k different hash functions defined such that each hashes some set element to one of the n elements in array with uniform distribution.(reference wiki bloom filter).To add an element, feed it to each of the k hash functions to get k array positions. Now all these elements are set to 1[26]. Many IDS are developed using various data mining techniques [24].Most of the systems are signature-based IDSs which make use of IP address. The signature-based IDSs stores IP address either in file or in data structures Bloom filters are used by Dharmapurikar et al. in packet classification [27]. The Bloom Filters can be used in IDS also which are used by Zhu Tieying et al. [25]. ________________________________________________________________________ ISSN (Print): 2319-2526, Volume -3, Issue -1, 2014 9 International Journal on Advanced Computer Theory and Engineering (IJACTE) ________________________________________________________________________ Figure 5: Bloom Filter when IP address is stored Figure 6: Bloom Filter when IP address is not stored Counting Bloom Filter is an improved version of Bloom Filter. Instead of just setting elements in array, it increments the value present in the Bloom Filter for corresponding hashed index elements. The IP address is stored in bloom filter. Storing IP address in Bloom Filter means hashing the IP address (Si) and set corresponding elements in array to 1. Figure 6 illustrates the same. For searching IP address in bloom filter, first IP is hashed and corresponding element in array are checked whether they all are 1.If all of the elements are 1 then the IP address is present in the Bloom filter. Figure 7 illustrates the use of counting Bloom Filter for inserting an IP address while Figure 8 illustrates use of counting bloom filter for searching an IP address. Figure 7: Use of Counting Bloom Filter for Inserting IP address Figure 8: Use of Counting Bloom Filter for searching IP address After introducing Bloom filter in Negative Selection Algorithm, the complexity of antibody generation comes to be O(n *m) where n is total number of antibodies and m is length of antibody and , while in enumerated method, its (( )). In case of false alerts, negative false alerts are not generated and positive false alerts depend on the hashing function used in bloom filter. Its main goal is to improve detection efficiency. It got the hash of self collection based on Bloom Filter and abstract keywords as detector, to match with the pending detection. It can reduce the overhead of antibody storage and cut down the matching scale. Although it has relatively high error rate because of potential of hashing collision, which can be further reduced by carefully selection of hash function [25][28]. Figure 9: NSA and Bloom filter ________________________________________________________________________ ISSN (Print): 2319-2526, Volume -3, Issue -1, 2014 10 International Journal on Advanced Computer Theory and Engineering (IJACTE) ________________________________________________________________________ same packet more than thrice then the system considered being under attack and the information is then passed to the neighbor in the network. V. RESULTS We first set up a wireless topology consisting of finite number of nodes. The nodes are exchanging the HELLO packets periodically. All this setup is done in the network simulator NS2. So that a trace file is generated consisting of the communication details of all the nodes in the network. The following figure shows the wireless topology in NS2. In NS2 we observed the normal and anomalous behaviour for various nodes. We collected the trace files for normal and anomalous behaviour. After collecting trace files of normal behaviour in NS2 we built the self set using NSA which is shown in figure 3, then this self set and traces of anomalous behaviour (in NS2) is given as input to NSA which identifies it as anomalous or normal. Then we separated the trace file for each node. Then we gave the trace file to bloom filter and found out whether the system is under attack. If a node is receiving the Figure 10: Simulation in NS2 The following figures show the graphs of number of nodes and duration against the accuracy of our system. The detection rate is inversely proportional to the number of nodes and the time. If we run this in normal real environment, according to results of simulation, the detection rate is 98% at the beginning but it decreases to 96% as number of nodes increases (because of false rate).We have tested this for various nodes. Thus the detection rate decreases with time and increase in number of nodes. Figure 11: Number of nodes vs Accuracy ________________________________________________________________________ ISSN (Print): 2319-2526, Volume -3, Issue -1, 2014 11 International Journal on Advanced Computer Theory and Engineering (IJACTE) ________________________________________________________________________ Of European Congress on Intelligent Techniques and Soft Computing (EUFIT '99)”, Aachen, Germany, September 1999. [5] Dr Chandra Shekar Reddy Putta, Dr K.Bhanu Prasad , Dilli Ravilla, Murali Nath R.S, M.L.Ravi Chandra, “Performance of Ad hoc Network Routing Protocols in IEEE 802.11”, Int’l Conf. on Computer & Communication Technology 2010 [6] Perkins, C. E., Royer, E. M.: “Ad-hoc OnDemand Distance VectorRouting”, February 1999, Proc. 2nd[20]. RFC 3626 (OLSR) Optimized Link State Routing.IEEE Workshop on Mobile Computer Systems and Applications, pp. 90-100 [7] Sudhir Agrawal, Sanjeev Jain, Sanjeev Sharma, “A Survey of Routing Attacks and Security Measures in Mobile Ad-Hoc Networks” ,Journal of Computing, volume 3, issue 1, January 2011, ISSN 2151-9617. [8] P.Yi, Z.Dai, S.Zhang, Y.Zhong., “A New Routing Attack in Mobile Ad Hoc Networks” ,International Journal of Information Technology, vol. 11, no. 2, 2005. [9] T.R.Andel and A.Yasinsac, “The Invisible Node Attack Revisited”, Proceedings of IEEE SoutheastCon 2007, pp. 686 – 691, March 2007. [10] B. Kannhavong, H. Nakayama, N.Kato, Y.Nemoto and A.Jamalipour, “Analysis of the Node Isolation Attack Against OLSR-based Mobile Ad Hoc Networks”, Proceedings of the Seventh IEEE International Symposium on Computer Networks (ISCN' 06), pp.30-35, June 2006. [11] S. Forrest, A. S. Perelson, L. Allen, and R. Cherukuri, “ Self-nonself discrimination in a computer” , In Proceedings of the 1994 IEEE Symposium on Security and Privacy, page 202. IEEE Computer Society, 1994. [12] Yao-Guang We1 De-Ling Zheng, Ying Wang, “Research of a negative selection algorithm and its application in anomaly detection”. Proceedings of 2004 International Conference on Machine Learning and Cybernetics, 2004. (Volume:5 ) 26-29 Aug. 2004. [13] D.Dasgupta, “Immune-based intrusion detection system: a general framework”, in Proceedings of the 22nd national information systems security conference (NISSC), 1999 [14] J. S. Balasubramaniyan, J. O. G. Fernandez, D. Isacoff, E. Spafford, and D. Zamboni , “An Architecture for Intrusion Detection using Autonomous Agents” , COAST Technical report 98/5, Purdue University, 1998. Figure 12: Duration vs Accuracy CONCLUSION: Absolute security is an abstract concept it does not exist anywhere. All networks are vulnerable to insider or outsider attacks, and eavesdropping. Regardless of whether the network is wired or wirelesses, steps can and should always be taken to preserve network security and integrity. We have said that any secure network will have vulnerabilities that an adversary could exploit. This is especially true for wireless ad-hoc networks. However new techniques must be developed to make intrusion detection work better for the wireless networks. We have shown that in a mobile ad-hoc network, it is not only necessary to ensure security at the individual node but to make the entire network immune against the various attacks that exist. Currently, the research is taking place in developing new architecture for wireless networks for better security. Our intrusion detection system proposed here detects intrusion by centralized collection of relevant information from the nodes. And our main aim is to make system behave like a human immune system, which once on detecting attack will not be affected by similar kind of attack in future. BIBLIOGRAPHY: [1] Amira Sayed A. Aziz, Mostafa A. Salama, Aboul ella Hassanien, Sanaa El-Ola Hanafi, “Artificial Immune System Inspired Intrusion Detection System Using Genetic Algorithm”, October 11, 2012 [2] J. W. Kim ,“Integrating Artificial Immune Algorithms for Intrusion Detection” ,PhD thesis, University College London, 2002. [3] A. Somayaji, S. Hofmeyr, and S. Forrest ,“Principles of a computer immune system”,In Proc. of New Security Workshop, pages 75-82, Langdale, Cumbria, 1997. [4] J. Kim and P. Bentley, “The human immune system and network intrusion detection. In Proc. ________________________________________________________________________ ISSN (Print): 2319-2526, Volume -3, Issue -1, 2014 12 International Journal on Advanced Computer Theory and Engineering (IJACTE) ________________________________________________________________________ [15] Mark Crosbie and Eugene Spafford, “Defending a computer system using autonomous agents”, In Proceedings of the 18th National Information Systems Security Conference, October 1995. [16] J. Kim and P. J. Bentley, “Evaluating negative selection in an artificial immune system for network intrusion detection,” in Proc. Genetic and Evolutionary Computation Conf. (GECCO’01), San Francisco, CA, Jul. 7–11, pp. 1330–1337 [17] S. Hofmeyr and S. Forrest, “Architecture for an artificial immune system”, Evolutionary Computation,7(1):45-68, 2000. [23] V. K. Khatavkar, “Bio inspired intrusion detection system for LAN”, Bio Engineering Sciences Present Status and Future Perspective (NCBFS- 13) [24] D. Dasgupta, Z. Ji, F. Gnnzalez, “Artificial Immune System (AIS) Research in the Last Five Years”. The 2003 Congress on Evolutionary Computation(CEC ’03) (Volume:1 )Dec. 2003 J. Kim and P. Bentley, “The artificial immune system for network intrusion detection: An investigation of clonal selection with negative selection operator,” Proc. Cong. Evolutionary Computation (CEC’01), pp. 1244–1252, May 27–30. [18] J. Kim and P. Bentley , “Toward an artificial immune system for network intrusion detection:An investigation of dynamic clonal selection,” Proc. Congr. Evolutionary Computation (CEC’02), pp. 1015–1020, May 12–17, 2002. [19] L. N. de Castro and J. Timmis, “Artificial Immune Systems: A New Computational Intelligence Approach”, Berlin, Germany: Springer-Verlag, 2002. [20] V.K. Khatavkar, Suraj Sawant, “An Adaptive LAN IDS using improved Negative Selection Algorithm based on Counting Bloom Filter”, International Conference on Computational Intelligence, 2011. [21] [22] [25] Dharmapurikar, Sarang;Song, Haoyu; Turner,Jonathan;Lockwood,John, “Fast packet classification using Bloom Filters”, Proceddings of 2006 ACM/IEEE Symposium on Architecture for Networking and Communication Systems. [26] Vaibhav Khatavkar, Suraj Sawant “An Adaptive LAN IDS using improved Negative Selection Algorithm based on Counting Bloom Filter”,Second International Conference on Computational Intelligence Applications 2011. [27] Joseph S. Sherif, Tommy G. Dearmond , “Intrusion Detection : Systems and Models”, Proceedings of the 11th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises , 2002 [28] Zhu Tieying Ma Zhixing Liu Shaojun Zhou Zhiguo, “Improved Negative Selection Algorithm Based on Bloom Filter”, Proceddings of the 2009 International Conferenceon E-Business and Information System Security. S. Hofmeyr, “An immunological model of distributed detection and its application to computer security”, PhD thesis, University Of New Mexico, 1999. ________________________________________________________________________ ISSN (Print): 2319-2526, Volume -3, Issue -1, 2014 13