Ad Hoc Networks : Technologies and Protocols - University of ...
Ad Hoc Networks : Technologies and Protocols - University of ...
Ad Hoc Networks : Technologies and Protocols - University of ...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Intrusion Detection Techniques 259<br />
Cooperative detection can result in lower false alarm rate because local intrusion<br />
report can be confirmed by others. It can also helps the investigation<br />
<strong>and</strong> identification the compromised node(s) behind the intrusion. For example,<br />
routing “blackhole” <strong>and</strong> network “partitioning” attacks usually result in anomalies<br />
observable by multiple IDS agents, which can then share the information<br />
to pinpoint the likely compromised node(s).<br />
Local <strong>and</strong> Global Response. Intrusion response in MANET depends on<br />
the type <strong>of</strong> intrusion, the help (if any) from other security mechanisms, <strong>and</strong> the<br />
application-specific policy. An example response is to re-authenticate the nodes<br />
<strong>and</strong> re-organize the network, e.g., by re-initializing communication channels<br />
between the re-authenticated legitimate nodes, to exclude the compromised<br />
node(s).<br />
9.4.2 A Learning-Based Approach<br />
Intrusion detection in MANET is a very challenging task because there are<br />
many potential (<strong>and</strong> new) attacks, <strong>and</strong> because the distinction between intrusions<br />
<strong>and</strong> legitimate conditions is not always obvious due to the dynamically<br />
changing topology <strong>and</strong> volatile physical environment. In order to be effective<br />
(i.e., highly accurate), an ID model must perform comprehensive analysis on<br />
an extensive set <strong>of</strong> features.<br />
One way to build such ID models is to use a learning-based approach for<br />
automatically selecting <strong>and</strong> constructing appropriate features from audit data<br />
<strong>and</strong> computing ID models. The main idea is to first start with a (broad) set <strong>of</strong><br />
features, perhaps enumerated using domain knowledge, then apply data mining<br />
algorithms (e.g., [1] [27]) to compute temporal <strong>and</strong> statistical patterns describing<br />
the correlations among the features <strong>and</strong> the co-occurring events. The consistent<br />
patterns <strong>of</strong> normal activities <strong>and</strong> the unique patterns associated with intrusions<br />
are then identified <strong>and</strong> analyzed to select the appropriate features or construct<br />
additional features. Machine learning algorithms [29] (e.g., the RIPPER [11]<br />
classification rule learner) are then used to compute the detection models.<br />
In this approach, the selected <strong>and</strong> constructed features are seeded from domain<br />
knowledge but are more empirical <strong>and</strong> objective because they are based on<br />
patterns computed from audit data. The inductively learned ID rules are usually<br />
more generalizable than h<strong>and</strong>-coded rules. That is, they tend to have better performance<br />
against new variants <strong>of</strong> known normal behavior or intrusions. This is<br />
because when there is more than one c<strong>and</strong>idate model, classification algorithms<br />
always produce the model with better performance on a hold-out dataset, which<br />
is not used to produce the models <strong>and</strong> is intended to simulate the situation <strong>of</strong><br />
encountering unseen or future cases.<br />
The learning-based approach toward ID models has been proved successful<br />
in wired network environment [26]. It is therefore rational to believe that