Abstract
Mobile ad hoc networks (MANET) have become one of the hottest research areas in computer science, including in military and civilian applications. Such applications have formed a variety of security threats, particularly in unattended environments. An Intrusion detection system (IDS) must be in place to ensure the security and reliability of MANET services. These IDS must be compatible with the characteristics of MANETs and competent in discovering the biggest number of potential security threats. In this work, a specialized dataset for MANET is implemented to identify and classify three types of Denial of Service (DoS) attacks: Blackhole, Grayhole and Flooding Attack. This work utilized a cluster-based routing algorithm (CBRA) in MANET.A simulation to gather data, then processed to create eight attributes for creating a specialized dataset using Java. Mamdani fuzzy-based inference system (MFIS) is used to create dataset labelling. Furthermore, an ensemble classification technique is trained on the dataset to discover and classify three types of attacks. The proposed ensemble classification has six base classifiers, namely, C4.5, Fuzzy Unordered Rule Induction Algorithm (FURIA), Multilayer Perceptron (MLP), Multinomial Logistic Regression (MLR), Naive Bayes (NB) and Support Vector Machine (SVM). The experimental results demonstrate that MFIS with the Ensemble classification technique enables an enhancing security in MANET’s by modeling the interactions among a malicious node with number of legitimate nodes. This is suitable for future works on multilayer security problem in MANET.
Keywords
Introduction
Mobile Ad hoc Network (MANET) is a multi-hop, wireless, self-configuring network that could be created without the necessitate for pre-installed infrastructure or centralized administration [1]. All devices in the network act as hosts and packet-forwarding routers simultaneously [2]. Device mobility, wireless connections, and the lack of central administration creates more susceptible security threats to MANETs than traditional networks [3]. Thus, it is essential to protect the MANET from various security attacks. Unfortunately, attaining this goal is a major challenge due to the limited resources of MANETs such as memory and processing abilities [4]. With such restrictive characteristics, conventional security measures such as cryptography are not enough for MANET [5].
MANETs are highly susceptible to attacks because of their open and disseminated nature and restricted devices resources. Also, in MANETs packets, broadcasting has to be done often; devices can be positioned randomly in an environment so that the attacker could simply inject adversary to MANET [6]. A denial of Service (DoS) attack is regarded as one of the most common and hazardous attacks which threatens MANET security [7].
This attack may be in many forms, and its major purpose is to suspend or interrupt services presented by MANETs [8]. Since the procedure of preventing attacks is not forever successful, an IDS is required to discover the unknown and known attacks and alert devices about them [9]. IDS permit the discovery of suspicious or abnormal activity and activate an alarm when an intrusion happens.
Implementing IDS for MANETs is very hard because it does not contain any centralized location where to implement security resources. In addition, the MANET does not have a specialized set of data containing normal profiles and attacks, which could be utilized to discover an attacker’s signature [10]. Because of the above challenges when designing IDS for MANETs, two important criteria has to be considered. 1. The IDS must be highly accurate in detecting intruders involving unknown attacks, 2. It should be lightweight to make sure minimal overhead in the MANET’s infrastructure [11].
Thus, in this work, a specialized MANET dataset is created to characterize three types of DoS attacks namely Flooding Black hole (BG) and Gray Hole (GH) in addition with the normal activities when no attacks exist. A cluster-based routing algorithm (CBRA) was utilized in this study. This choice was created because CBRA devices consumes limited power for routing and its ease characterizes. MFIS is used to create dataset labelling. Furthermore, an ensemble classification technique is utilized to classify three types of attacks.
The rest of the paper is arranged as follows. Section II reviews the relevant work of existing intrusion detection techniques. Furthermore, Section III describes the Dataset Creation using MFIS and Dataset Description. Section IV explains BG, HG and flooding attacks. Section V provides the proposed intrusion detection system with ensemble classification. Section VI presents the experimental results attained from the IDS and discusses the significance of the results attained. Conclusion and future works are provided in Section VII.
Related work
This section reviews the relevant work of existing intrusion detection techniques in MANET.
Panda et al. [12] proposed an intelligent routing algorithm using the Ant Colony Optimization (ACO) method, which uses energy-saving techniques that detect the shortest paths from source to target, avoid connection failure and prolong the life of the connection. Uses the concept of Digital Signatures, Watchdog and Path Rater to detect and prevent BH and GH attacks.
Abdel-Azim et al. [13] proposed an optimal fuzzy based intrusion detection system with an automation procedure that would create a fuzzy system utilizing an Adaptive Neuro-Fuzzy Inference System (ANFIS) for the launch of FIS and Using the Genetic Algorithm (GA) for optimization.
Navina et al. [14] recommended a trust-based routing system to ensure secure routing. This routing system is divided into two stages, namely Data Retrieval (DR), to discover and protect each node data transmit method in routing surroundings and path development stages, to forecast the saferoute for sending a data packet to the destination node.
Gurung et al. [15] classify DoS attacks and highlight the differences between the BH, sequence number based GH and smart GH attack. By modifying the AODV protocol, the authors analysed two different types of attacks, Attack 1 and 2. Attack2 (SGAODV) is a smart GH attack, whereas 1 (GAODV) is a GH attack based on sequence numbers (SN). The NS-2.35 simulator is used to monitor the impact of GH attacks on AODV, MBDP and IDS AODV. They came to the conclusion that under sequence based GH assaults, MBDP performs better than IDS and AODV. It has been determined that the smart GH attack has less effect than the SN based GH attack.
A dual attack discovery method for BH and GH attacks (DDBG) for MANETs was presented [16]. The DDBG method chooses a node utilizing the connected dominating set (CDS) method before placing the it in the IDS set.The power and absence from the blacklist will be checked. CDS is a useful, unique, and localized technique for locating sets of almost completely dominant nodes in MANET. The chosen nodes transmit a packet within the dominating set size to achieve a complete behavioural data. These nodes used the DDBG method to study the behavioural data and for identification of malicious nodes. If it seems to be suspicious,it is added to the blacklist. They concluded that the quality of the service parameters of the method is better than the existing routing systems.
Khan et al. [17] presented the design for significant network layer attacks, BH, GH and wormhole (WH) attacks. Performance analysis of the AODV protocol using NetSim, a network simulator, is performed under the influence of each designed attack. The authors concluded that network layer attacks affect low power consumption and the packet delivery capability of the AODV protocol in the short term. The design of the attacks assists in comprehending the behaviour of the attack and, therefore, helps to implement a defence method in AODV.
A modified safe AODV protocol to avoid WH attacks was formulated [18]. This technique is utilized for discovering both passive and active attacks without using special hardware setup. This modified safe AODV detects the Packet Forward Ratio (PFR) and round trip time (RTT) of each node, rather than detecting the whole network. Therefore, the quality of service has been enhanced.
Luong et al. [19] presented a novel flooding attack discovery algorithm (FADA) for MANETs using a machine learning technique. This algorithm depends on the historical data to find the path of node and determines whether a node is malicious. It also identifies the nodes with similar characteristics and activities belonging to that of same class. A novel Flooding Attack Prevention Routing Protocol (FAPRP) through expanding the unique AODV protocol and incorporating the FADA algorithm has been presented. The effectiveness of this solution is valued using NS2 simulator under both normal and RREQ attack based on the detection rate, PFRand routing load. Hence, it can be concluded that FAPRP could detect 95% of RREQ flooding attacks in all situations with a path detection frequency > 35 and executes better PFRthan the existing solutions.
Mohammadi et al. [20] presented protection against flooding dynamic source routing protocol. This technique not only discovers malicious nodes but also imposes adequate penalties and reconsiders them. The outcomes of this technique in the NS-2 surroundings indicate that it enhanced PDR.
Gurung et al. [21] presented a novel method to mitigate the flooding attack method, which uses a dynamic threshold value and consists of three phases. It uses numerous specialized nodes called Flooding-Intrusion Detection System (F-IDS) in MANETs to discover and avoid flooding attacks. F-IDS nodes are set up indecently to monitor the activities of the node. This method can enhance the network performance measurements based on PDR, throughput and decreases routing overhead and normal routing load.
To guarantee network secrecy and integrity, the System with an Intelligent Client Agent and a Smart Server equipped with a fuzzy inference rule based service engine was formulated [21]. Experimental study demonstrates that the suggested model outperforms the existing method in terms of assured delivery ratio and end-to-end delay, and is highly attack resistant, reliable, and secure on devices. Using Mamdani and Sugeno type FIS, IDS is created to identify packet dropping attacks. The fundamental distinction between Mamdani and Sugeno type FIS is presented in this study. In order to achieve this, a packet dropping attack scenario is created using the Qualnet simulator, and the generated systems’ performance is examined using the MATLAB toolbox[22].
From the above analysis, it can be concluded that, the trust based security management system offers a way to address the security concerns in MANET. So this work formulated a novel IDS using fuzzy inference system. Thus, Fig. 1 depicts the block diagram of the proposed system. To ensure high intrusion detection, two of the key contributions namely, gathering information in order to find intruders and implementation of ML for dataset for evaluation has been formulated.
Proposed IDS model for MANET.
Dataset creation and description
The dataset construction procedure focuses on data compilation methods and attacks circumstances. It is made up of the following components: The data collection training module is accountable for gathering traffic data on the MANET network; The data preprocessing module is useful for attaining related features; The MFIS module is dependable for examining data gathered against suspicious activity and defining class labels.
Data collection training module
It displays the collected and abstracted processed traffic. Each device can act as a sender, receiver or router. During the data gathering procedure, the network cannot assure the same path to reach the chosen destination. Thus, additional nodes are needed. The mobile devices can be of two types, the first one contains devices that can be utilized as a sender, receiver, or router for sending packets. Second one is a device with specialized capabilities utilized to gather data for IDS. This IDS device (or tracking device) must be secured to ensure the integrity of the data gathered. This particular device is utilized in both the routing device and the data collection device. In the network tracking procedure, the IDS device monitors the network and gathers specific audit data for neighbouring devices. Network Characteristic Values (NCF) are the form in which the data is collected. All network traffic that passes across the network is collected in a dataset. This NCF dataset contains descriptions of each of these attributes.
Data preprocessing module
It defines the related features of the data preprocessing technique. The feature selection is needed to get the impact of the malicious device on routing activities and mobile network topology. For this reason, a common dataset, a comprehensive investigation of attack, and a choice of recent DoS attacks against MANET is considered in this work. The study will be restricted to three types of attacks namely BH, Flooding and GH.
The blackhole attack drops all the packets obtained for forwarding, while the grayhole drops the packets at specific frequencies. It presents the highest destination sequence number (SN) and lowest hop count (HC) number in routing control packets to attract the source device and drop packets. These attacks inject fake Route Reply (RREP) packets into the source node.
Moreover, the flooding attack is repeatedly injecting duplicate packets into the network. Thus, all devices in the MANET consume the power to send unwanted packets. Beginning with the NCF dataset, four features such as, HC, packet dropped rate and packet delivery ratio are considered as a pertinent features and these measures will be examined by the Mamdani fuzzy-based inference System (MFIS).
Mamdani based fuzzy inference system\\ (MFIS) module design
The Mamdani type is used by FIS to interpret the label values of data points. PDR and DPDR are utilized as input parameters. The formula of PDR is shown in Equation (1)
Furthermore, the formula of DPDR showed in Equation (2).
For the GH attack, for instance, the membership functions are allocated. The FIS with Mamdani may interpret a specific rule (shown in Fig. 2). The rule calculates fuzzy outputs using knowledge base and the fuzzy inputs from the fuzzification stage. The Verity Levels are expressed for these Crisp outputs in three categories: Low, Medium and High. The rule basis for malicious behaviour below demonstrates the rule in Table 1. These crisp outputs are expressed in four types, namely normal, BG, GH and flooding attacks.
FLC detection process.
MFIS rule base
The above MFIS rule base is generated based on the following 5 cases. Let a MANET device P receive four packets and forward four packets. Then PDR is (4/4 = 1) and DPDR is (1-1 = 0). From Table 1, then P is Low. Let a MANET device P receive four packets and drop all packets(forward 0 packets). Then PDR is (4/0 = ∞) and DPDR is (1 - ∞ = ∞) then P is high. Let a MANET device P receive four packets and forward one packet only. Then PDR is (4/1 = 4) and DPDR is (1– 4 = –3). From Table 1, then P is Medium.
After the three modules were implemented, the final dataset was created. Then the dataset was split into training (70%) and testing (30%) datasets.
Machine learning techniques, especially ensemble classification, can be utilized for anomaly-based intrusion detection. The model presented through the supervised learning procedure can create predictions on novel data events. The good performance of the presented model could be explained by selecting a good classification algorithm. Ensemble classification is a technique of combining multiple classifiers by a meta-classifier. The ensemble technique uses multiple classification algorithms to achieve better predictive performance than a single classification algorithm. Thus, this section proposed an ensemble classification and prediction algorithm for intrusion detection. Here, a stacking algorithm as a classifier to categorize the meta-features to achieve the final class. Classifiers from the first layer (C4.5 + FURIA + MLP + MLR + NB + SVM) return the probability of belonging to a class (meta-features). In the second layer, these meta-features are the input of the stacking classifier.
Initially, six classifiers will create a dataset with six dimensions. A secondlevel classifier (meta-classifier) is utilized over the firststage dataset. In this study, a Random Forest topology was used as metaclassifier. The suggested stacking model's performance is different from the individual classifiers in terms of performance measures. Algorithm of the Proposed Model is shown in Fig. 3. At last, the classifier’s output can be Normal or BH or GH or Flooding.
Flow diagram of the ensemble classification algorithm for intrusion detection.
Waikato Environment for Knowledge Analysis (WEKA) Toolbox was utilized for the C4.5, FURIA, and MLP, MLR, NB, SVM and stacking classification and prediction. Algorithm shows the proposed ensemble classification algorithm for intrusion detection
This section presents the experimental results attained from the IDS. In this work, CBRA routing protocol in a network-based MANET is considered. The proposed NCF dataset comprises 1510 samples. It is made up of a number of classes. Each class contains 302 sample distributions. The experimental measurements of a performance metrics are utilized to evaluate the features of the network with normal and abnormal activities. Java and Weka tools are utilized for ensemble classification algorithm based IDS execution. This algorithm has six well-known ML classifiers: C4.5, FURIA, MLP, MLR, NB, SVM, and one meta-classifier (Random Forest) namely stacking classifier in terms of Accuracy, Recall, Precision, and F-Measure.
Table 2 and Fig. 4 displays the overall performance of the stacking classifier and other six classifier. Figures demonstrate that using 70% training data and 20% test data, the accuracy score of proposed classifiers namely C4.5, FURIA, MLP, MLR, NB, SVM, and one meta-classifier (Random Forest) was found to be. 70%, 76%, 91%, 83%, 76%, 86% and 96%.
Performance metrics.
Performance analysis
C4.5 achieved remarkable results such as 70 % accuracy, 67 % recall, 65 % precision, and lastly 66 % f-measure. Following the examination, FURIA achieves a notable result of 76% accuracy, recall of 75 %, while precision is 79% and 74 % of F-measure. The accuracy score of MLP was found to be 91 %, 88 % recall, 93 % precision, and 91 % f-measure. Figure 6 shows that the suggested Stacking classifier outperformed C4.5, FURIA, MLP, MLR, NB and SVM. According to the ensuing graph, the Proposed Stacking Classifier model has the greatest accuracy (96%), recall (100%), precision (99 %), and f-measure (96 %) scores than any other model.
The purpose of this work is to develop IDS and prevention methods that can effectively control DoS attacks. To this end, a dataset for MANET was built to classify the three types of DoS attacks. BH, GH and flooding attacks were considered here. Data was collected using Java. Datasets with both malicious and normal network were utilized to study the effectiveness of the proposed system. The ensemble classification algorithm was built using the WEKA toolbox; Attacks were classified utilizing seven classifiers, such as C4.5, FURIA, MLP, MLR, NB, SVM and ensemble classifiers, with a classification accuracy of. 70%, 76%, 91%, 83%, 76%, 86% and 96%.respectively. From these results, it could be concluded that the ensemble classification algorithm trained in the collected dataset would be most effective in classifying DoS attacks as it could attain high classification accuracy in the presence of more than one attack. In the future, this work may be extended to include other types of DoS attacks, such as Wormhole or Sybil. It is also feasible to use other classifiers and data mining techniques.
Footnotes
Funding statement
The authors received no specific funding for this study.
Conflicts of interest
The authors declare that they have no conflicts of interest to report regarding the present study.