A MODEL OF CLOUD COMPUTING-BASED RESOURCE SHARING SYSTEM FOR COLLABORATION IN TERTIARY INSTITUTIONS

The impact of DDOS attacks can vary from minorinconvenience to users of a web site to severe financial losses for institutions thatrely on their online availability to carry out their bu

CHAPTER 1: INTRODUCTION 1.0 Introduction

This chapter is an introduction to the research work; it gives an overview of theproblem statement, the aim and precise objectives of this work It equally presentsthe scope as well as the significance of the study

1.1 Background of the study

The proliferation of wireless mobile devices has revolutionized the world, leading tothe popularity of the mobile ad hoc networking technology [1] This emergence ofthe mobile ad hoc network (MANET) has facilitated the drift from personalcomputing to ubiquitous computing in our society Today, mobile devices such assmartphones, laptops, notebooks and tablets are fast becoming an integral part ofman’s life and a good number of those in the academia and industry now access theInternet on-the-go, through a wide range of mobile devices [2]

A mobile ad hoc network (MANET) is simply described as an autonomous collection

of wireless mobile devices that communicate and cooperate with each other in adistributed manner in order to provide the necessary network functionality in theabsence of a fixed infrastructure [3] It consists of a group of independent networkmobile devices that are linked over various wireless links Normally, mobile ad hocnetworks operate on a constrained bandwidth, have dynamic network topologies andenable devices to seamlessly link up without pre-existing communicationinfrastructure Due to the ease and speed with which MANETs are established, theyare widely used anytime and anywhere such as in shopping malls, mobile offices,cafes and school settings [4]

Wireless mobile ad hoc networks have been gainfully employed in Universitycampuses, airports, hotels and conference settings because they facilitatecollaboration and provide efficient communication Consequently the opportunitiesdue to the application of MANETs are enormous On the other hand, they have highrisks and possibilities of attacks, therefore security issues impose various challenges

to the application of mobile ad hoc networks Besides, securing, this network hasbecome even more intricate due to the fact that mobile devices constitutingMANETs, have limited processing and memory resources [5]

The fact that MANETs do not have a clear entry point makes the implementation ofperimeter-based defense mechanisms impractical Moreover, preventive solutionssuch as authentication and encryption developed for the protection of mobile ad hocnetworks are insufficient for operating in mobile ad hoc networks [6]

As the importance and intricacy of MANETs increases, more complex anddistributed attacks continue to emerge One of the most widespread network attacksthat poses a grave danger and hampers the application of the mobile ad-hoc network

is the denial of service (DOS) attack A denial of service attack is an explicitmalicious attempt to render a service, system or network unusable by its legitimateusers [7] This attack can lead to the clogging up of so much memory on the targetsystem or cause the target system to reboot or even crash

When the traffic of a denial of service (DOS) attack emanates from multiple sources,

it is referred to as a Distributed Denial of Service (DDOS) attack [8] By using

multiple attack sources, the power of a DDOS attack is amplified and the problem ofdefense is made more complex The impact of DDOS attacks can vary from minorinconvenience to users of a web site to severe financial losses for institutions thatrely on their online availability to carry out their businesses.

In contrast to other forms of intrusion, a denial of service attack does not require theattacker to gain physical access or entry into the targeted server Typically, a DDOSattack is coordinated across many systems all controlled by a single attacker,commonly referred to as a ‘master’ Prior to the attack, the master compromises alarge number of hosts, without their owners’ knowledge, and install software thatwill later enable the coordinated attack These compromised hosts, called zombies,are then used to perform the actual attack [9]

Distributed denial of service attacks exhaust host resources; take up a lot ofbandwidth, making the victim host unable to accept normal network requests,resulting in substantial economic losses In a typical DDOS attack, a huge number ofcompromised hosts are amassed to send useless packets to the victim, which isdeprived of gaining access to the Internet or its resources DDOS attacks affect theregular functioning of organisations causing huge losses worth billions of dollars.For this reason, organisations are trying their best to curtail such losses by counteringDDOS attacks

A denial-of-service (DOS) attack directed against one or more network resourcesoften floods the target with an overwhelming number of Synchronous (SYN),Internet Control Message Protocol (ICMP), or User Datagram Protocol (UDP)

packets or with an overwhelming number of SYN fragments Depending on theattackers' intent and the extent and success of previous intelligence gathering efforts,the attackers might single out a specific host, or might aim at random hosts acrossthe targeted network Either approach has the potential of upsetting the service to asingle host or to the entire network, depending on how critical the role of the victim

is to the rest of the network [10]

Surveys carried out by the world´s largest DDOS mitigation service, known as theProlexic Company, indicates that majority (90-94%) of DDOS attacks are performedusing Transmission Control Protocol In the first quarter (Q1) of 2012, attackers usedmore network layer attacks than application layer attacks (Layer 7) The three mostcommon forms of DDOS attacks are Transmission Control Protocol Synchronous(TCPSYN) floods, User Datagram Protocol (UDP) floods and Internet ControlMessage Protocol (ICMP) floods Typical application layer attacks are GET Floodsand POST Floods According to the figures provided by Prolexic, 73.4% wereinfrastructure attacks and 26.6% were application layer attacks [11]

The very first large-scale DDOS attack through the public Internet occurred inAugust 1999 on a network used by faculty and students at the University ofMinnesota This attack shut down the network for more than two days [12].Currently, a good number of educational institutions who provide Internet access stillexperience frequent downtime due to DDOS attacks

Hence, the convenience of the Internet comes at the cost of various security risks Inother words, while the Internet has facilitated the provision of crucial services in

educational and financial institutions, it has equally served as a means of diffusingnetwork attacks Consequently, most organisations and institutions have had to facethe challenge of securing their networks from various forms of intrusions, whileaccommodating the influx of staff, students’ and faculty devices [13]

In spite of the fact that several efforts have been made to design intrusion detectionsystems for MANETs, yet most of these approaches have neither been effective norreliable and have been unable to adequately consider the requirements for a mobile

ad hoc network Thus, while many intrusion detection schemes exist, yet theireffectiveness leaves much to be desired

Related literature have shown that conventional intrusion detection systemsdeveloped for wired networks are not well suited for MANETs and have a number ofdrawbacks [14] These drawbacks include: high rates of false alarms, low detectionrate and high communication overheads Hence defending against DDOS attacks andprotecting the access of legitimate users to networks has attracted attention from boththe industry and the academia

On the other hand, multi-agent systems [15] and data mining [16] have emerged aspromising fields of research for developing distributed intrusion detection systems.Studies have shown that these technologies have the potential to improve theperformance of intrusion detection systems and thus can be employed in thedevelopment of intrusion detection systems

In this ubiquitous age, where nearly everyone owns at least one mobile device [17],the issue of protecting data stored and exchanged among these devices and throughtrendy services for use by countless mobile users, has become critical Based on thefact that these mobile devices are further expanding in their abilities tointercommunicate, simple static methods are no longer adequate in providingsecurity to these computational scenarios

Consequently, this thesis presents a distributed intrusion detection system thatintegrates the desirable features of the multi-agent methodology with data miningtechniques in order to make the intrusion detection system more autonomous andefficient

In order to address the snags in existing intrusion detection systems, cooperative,distributed intrusion detection architecture that takes into account the unique features

of MANET and facilitates accurate detection of distributed attacks was designed.Algorithms were adapted for averting Internet Protocol (IP) Spoofing, as well asdetecting three prevalent forms of DDOS attacks namely: Transmission ControlProtocol Synchronize (TCP SYN) flood, User Datagram Protocol (UDP) flood andInternet Control Message Protocol (ICMP) flood attacks on a mobile ad hocnetwork

As a proof of concept, TCPSYN, UDP and ICMP flood attacks were launched intothe newly developed system The performance of the Multi-agent IntrusionDetection System was compared with the performance of four other agent-basedintrusion detection systems The results of the tests clearly revealed that the Multi-

agent Intrusion Detection System had very high attack detection accuracy for TCPSYN, UDP and ICMP flood attacks respectively The false alarm rates and thecommunication overheads of the novel system were equally found to be considerablylow when compared to the other four existing systems.

1.2 Statement of the problem

The distributed nature and the huge volume of traffic of distributed denial of service(DDOS) attacks make them quite difficult to detect, particularly in mobile ad hocnetworks At the Yaba College of Technology (YCT) network, DDOS attacksemanate from distributed sources and are difficult to deal with, since malicioustraffic are not easily distinguished from legitimate traffic Unfortunately, securitymechanisms originally deployed for detecting attacks on the YCT network have beenineffective in detecting DDOS attacks Besides, studies have shown that other morerecent intrusion detection systems have low detection rates, have hugecommunication overheads and are not feasible for detecting DDOS attacks in aresource-constrained MANET They have equally been found to have high falsealarm rates, which falsely classify a normal connection as an attack and thereforeobstructs legitimate user access to the network resources [19] These drawbacksconstitute the key issues which the proposed system was designed to resolve

1.3 Aim and Objectives

The main aim of this research is to develop a multi-agent intrusion detection systemfor countering distributed denial of service (DDOS) attacks in mobile ad-hocnetworks In order to attain this goal the following objectives were set:

i To design a distributed architecture that will cater for the resource-constrainedfeatures of the mobile ad hoc network;

ii To present a multi-agent framework for intrusion detection of DDOS floodingattacks;

iii To adapt the cumulative sum (CUSUM) algorithm, making it more suitable foraverting Internet Protocol (IP) spoofing, as well as for detecting threeprevalent forms of DDOS flooding attacks namely: Transmission ControlProtocol Synchronize (TCP SYN) flood, User Datagram Protocol (UDP)flood and Internet Control Message Protocol (ICMP) flood attacks;

iv To implement a prototype of the proposed system;

v To evaluate the performance of the implemented system

1.4 Scope of the thesis

Based on the fact, that it is not feasible to run an exhaustive test of all knownnetwork attacks on the varied forms of mobile ad hoc networks, this work focuses onthe development of an effective multi-agent intrusion detection system for averting

IP spoofing and countering three common forms of DDOS attacks in a mobile ad hocnetwork that uses the Ad hoc On-demand Distance Vector (AODV) routing protocol

1.5 Significance of the thesis

The effort to mitigate Distributed Denial of Service (DDOS) attacks is a crucialnetwork security challenge Hence, the outcome of this research will contributesignificantly to research in the field of intrusion detection systems and enable

researchers come up with more robust solution in highly dynamic environment such

as mobile ad hoc network

Providing a distributed framework that would handle an efficient detection of DDOSattacks is imperative for curtailing the risk that DDOS flooding attacks pose toorganisations and end users [20]

The outcome of this study will serve as a useful guide for Network Administratorsand expedite the task of Internet Service Providers who will be better able to offeruninterrupted Internet service to subscribers

Currently various social services rely on the network applications andcommunications These services include forecasting travel itineraries, reportinginformation about severe weather or potential disasters, electronic commerce, onlinemedical diagnostics and scheduling emergency management events, etc Therefore,any denial of such services can cause enormous damage, not only loss of money butmay also loss of human lives Hence, in order to forestall undue losses in, institutionsand private homes, it is desirable that businesses install the multi-agent intrusiondetection system on their networks

Maintaining top level security is imperative for sustaining a trusted and safe settingnecessary for information exchange amongst various organisations Thus, enterprisesrequire an effective DDOS attack countering scheme that ensures continuousavailability of their critical business resources.

1.6 Block diagram of the thesis stages

This thesis is structured into seven chapters, which are further divided into varioussections For clarity, an overview of the different phases of this thesis is depicted as ablock diagram in figure 1.1

Figure 1.1 Block diagram of the thesis stages

CHAPTER 2: LITERATURE REVIEW

Chapter 3: Research Methodology and System Analysis

Chapter 5: System Implementation

and Documentation

Chapter 1: Introduction

Chapter 2: Literature Review

Chapter 4: System Design

Chapter 6: System Testing and Performance Evaluation

MonitorAgent

Chapter 7: Summary, Conclusion and Recommendations

2.1.1 Mobile Ad hoc Networks (MANETs)

People who make use of mobile devices often need to communicate in settingswhereby no fixed wired infrastructure is available; this could be due to the fact that itmay not be economically feasible or physically possible to provide the necessaryinfrastructure, or due to the fact that the setting does not permit its installation

Similarly, a group of students in a higher institution may need to share ideas during alecture, business associates may run into each other in an airport terminal and wish

to share files, or a group of emergency rescue workers may need to be rapidlydeployed after a flood In such situations, a collection of mobile hosts with wirelessnetwork interfaces may form a temporary network without the aid of any establishedinfrastructure or centralised administration This sort of wireless network is referred

to as a mobile ad hoc network

The mobile ad hoc network (MANET) has been in focus within the wireless researchcommunity and is currently a very active field of study Today, with the rapidproliferation of wireless mobile devices such as laptops, smartphones, tablets etc.,

the significance of nomadic and ubiquitous computing, particularly mobile ad hocnetworking have become apparent [21].

Over the last two decades, MANETs of various forms have emerged owing to theever-increasing application of a wide range of wireless mobile devices In view ofthe fact that these devices are getting smaller, cheaper and more powerful, they arebecoming increasingly popular The ad hoc self-organising feature of MANETs makethem quite suitable for virtual conferences, where setting up a traditional networkinfrastructure could be rather time consuming and could turn out to be a high-costingtask [22]

Figure 2.1 Mobile Ad hoc Network [22]

Ordinarily, MANETs do not have an underlying infrastructure; for this reason mobilehosts in MANETs "join" on the fly and create a network on their own as shown inFigure 2.1 With the network topology changing dynamically and the lack of acentralised network management functionality, MANETs tend to be highlyvulnerable to a number of attacks

In other words, the numerous benefits of the wireless mobile ad hoc network come

at the cost of various security flaws The shared and easy to access medium isundoubtedly the major advantage of wireless networks, while at the same time is itsAchilles' heel In other words, it makes it extremely easy for an adversary to launch

an attack [231 Therefore, intruders easily penetrate the network and as aconsequence MANETs are extremely susceptible to network attacks due to theiropen and distributed nature, lack of fixed infrastructure, lack of central management,node mobility and dynamic topology

While early research effort in MANETs assumed a friendly and cooperativeenvironment and focused on challenges such as wireless channel access and multi-hop routing, yet this is not the case in reality, therefore security has become the mainsource of concern, in a potentially hostile environment Recent research on wirelessMANETs indicate that this type of network presents greater security challenge thanconventional wired and wireless networks [24]

2.1.1.1 Routing in MANETs

The term routing refers to the process of finding a path between two communicatinghosts in a given network [25] In conventional networks, the routers arepreconfigured by the administrator to perform the task of routing, and each packet isforwarded according to its Internet Protocol (IP) address In the case of an ad hocnetwork, comprising of a number of hand-held devices which communicate witheach other over wireless channels without any infrastructure, the network topologychanges rapidly and unpredictably and no dedicated node has to be defined toperform routing in MANETs As a result, the conventional routing protocols are notsuitable for application in MANETs

Normally routing in ad-hoc networks involve finding a path from the source to thedestination, and delivering packets to the destination nodes while nodes in thenetwork are moving freely Due to node mobility, a path established by a source maynot exist after a short interval of time Therefore, to cope with node mobility, nodesrequire the maintenance of the routes within the network Hence, depending on hownodes establish and maintain paths, routing protocols for mobile ad-hoc networksbroadly fall into four categories namely [26]:

I Proactive routing protocols

II Reactive routing protocols

III Hybrid routing protocols and

IV Location-based routing protocols

I Proactive Routing Protocols: Proactive routing protocols are table-driven

protocols that maintain up-to-date routing table using the routing information learnt from the neighbours on a continuous basis Routing in such protocols involves selecting a path from the source to the destination, where the source node and each intermediate node selects a next hop, by routing table look up, and forwarding the packet to next hop until destination receives the packet as shown in Figure 2.2

Figure 2.2 Proactive routing [27]

A drawback of proactive protocols is the proactive overhead due to route

maintenance and frequent route updates to cope with node mobility Classic forms ofthe proactive routing protocols include:

i. Destination-Sequenced Distance-Vector Routing protocol (DSDV)[27] and

ii. Optimized Link State Routing Protocol (OLSR) [28]

i. Destination-Sequenced Distance-Vector Routing protocol (DSDV) [27]: The

Destination-Sequenced Distance-Vector Routing protocol (DSDV) is anenhanced version of distributed Bellman-Ford algorithm, for mobile ad-hocnetworks In this protocol, each node maintains a routing table that contains

an entry for every node in the network Each entry in the routing tableconsists of the destination ID, the nexthop ID, a hop count, and a sequencenumber for that destination The sequence number helps nodes maintain afresh route to the destination(s) and avoid routing loops In order to cope withfrequently changing network topology, nodes periodically broadcast routingtable updates thought-out the network When a node receives a route-updatepacket, it changes its routing table entries if the sequence number of thedestination in the update packet is higher (fresh) than the one in its routingtable If the sequences numbers are the same, then the node selects a route

with smaller metric (hop count) As a means of reducing the network trafficdue to huge update packets, DSDV employs two types of updates - full dumpand incremental A full dump packet generated by a node contains all entries

in its routing table Whereas an incremental packet contains only the routingtable entries that are changed by the node since the last full dump A nodetriggers an update when either the metric for a destination changes or whenthe sequence number changes In the later case, it is called DSDV-SQ

i Optimized Link State Routing Protocol (OLSR) [28]: The optimized link state

routing protocol (OLSR) is an optimization of nodes, which are the directneighbours This idea (multi-point relays, MPR) reduces the network trafficbut introduces more computation and complexity

II Reactive Routing Protocols: Reactive routing protocols are demand-driven

protocols that find path on-the-fly as and when necessary In such protocols, establishing a new route involves a route discovery phase consisting of route request (flooding) and a route reply (by the destination node) Nodes

maintain only the active routes until a desired period or until destination becomes inaccessible along every path from the source node as illustrated in Figure 2.3

Figure 2.3 Reactive Routing Protocol [29]

A drawback of such protocols is the delay due to route discovery on-the-fly Typical forms of reactive routing protocols are the Ad-hoc On-demand Distance Vector Routing (AODV) and the Dynamic Source Routing (DSR) protocols In Ad-hoc On-demand Distance Vector Routing (AODV), a node discovers and maintains a route to the destination as and when necessary Nodes maintain a routing table containing routes towards source(s)-

destination(s) that are actively communicating with each other Each entry in the routing table consists of the destination ID, the next hop Ill, a hop count, and a sequence number for that destination (the same as one in DSDV) The sequence number helps nodes maintain a fresh route to the destination(s)and avoid routing loops Thus, each node maintains a sequence number for itself and the respective source(s) and destination(s) A node increments its

sequence number if it initiates a new route request or if it detects a link-breakwith one of its neighbours

To establish a path to the destination, a source node broadcasts a routerequest(RREQ) packet The RREQ packet contains the source ID, the

destination ID, sequence number of the source, and the latest sequencenumber of the destination node that is known to the source node When anode receives a RREQ packet, it makes an entry for the route request in theroute-request cache, and stores the address of the node from which it receivedthe request as the next hop towards the source in its routing table If receivingnode is the destination or it has a fresh route to that destination I, then itresponds with a route reply (RREP) Otherwise, it rebroadcasts the RREQ toits neighbours.

When a node receives a RREP, it stores the address of the node from which itreceived RREP as the next hop towards the destination in its routing table andunicast the RREP to the next hop towards the source node Once the sourcereceives the RREP packet, it starts transmitting data packets along the pathtraced by the RREP packet Due to the node mobility, path(s) established by asource node may break A node detects a path break if it attempts to forward adata packet and receives a packet-drop notification from the media accesscontrol (MAC) layer When a node detects a path-break, it drops the packetfor the destination and generates a route error (RERR) packet for thedestination and sends the RERR to the source Upon receiving a RERR, thesource node buffers data packets for the destination and tries to reestablish apath to the destination

The Dynamic Source Routing (DSR) [29] was one of the first reactiverouting protocols for ad-hoc networks In DSR, nodes use RREQ RREP, andRERR packets to establish and maintain paths to the destination However,

unlike AODV, RREQ packet accumulates a list of node IDs along the pathfrom the source to the destination and the corresponding RREP packet carriesthis list of IDs back to the source Once the source node receives RREPpacket, it starts transmitting data packets to the destination by embedding theroute from the source to the destination in the packet header The path in thedata packet header is referred to as the "source route" Every node in thenetwork stores route to other nodes in the network by maintaining a dynamicroute cache A node determines routes to other nodes when it initiates aRREQ to a particular destination or when the node lies on an active path tothat destination In addition to these, a node may also ascertain a route byoverhearing transmissions (in the promiscuous mode along the routes ofwhich it is not a part.

III Hybrid Routing Protocols: Hybrid protocols combine the advantages of

various approaches of routing protocols into a particular protocol The Zone Routing Protocol (ZRP) is one of such a hybrid protocol that combines both the proactive and reactive routing approaches ZRP takes advantage of pro-active discovery within a node's local neighbourhood, and uses a reactive protocol for communication between these neighbourhoods The local

neighbourhoods are called Zones, and each node may be within multiple overlapping zones ZRP is motivated by the fact that most communication occur between nodes close to each other Changes in the topology are most important in the vicinity of a node - the addition or the removal of a node on the other side of the network has only limited impact on the local

neighbourhoods The performance of ZRP depends on choosing a radius,

which decides the transition from pro-active to reactive behaviour With a carefully chosen radius, ZRP can achieve better efficiency and scalability over both pro-active and reactive routing protocols.

IV Position-based Routing Protocols: Position-based routing protocols utilize

position of nodes in the network and make the least use of the topology information Routing protocols using such a scheme eliminate drawbacks due

to frequently changing network topology DREAM, GPSR, and LAR are some of the examples of position-based routing protocols In Position-based routing protocols nodes maintain local (one or two hop) topology informationwith the help of a hello protocol To route a packet to the destination, the source node uses a greedy-forwarding to select a next hop towards the

destination In greedy-forwarding, a node selects a next-hop towards the destination that is geographically closest to the destination among its

neighbouring nodes Since there is no pre-established route from a source to the destination, each packet may follow a different path depending on the network topology [30]

There are two parts to the position-based routing:

i. given the position of the source, the position of the destination, and a local

neighbour table of each node, delivering packets from the source to thedestination, and

ii. given that each node can determine its own position, using some positioning

system like GPS, obtaining the position of any other node in the system Theformer part is the position-based routing, examples include GFG, GPSR

Position-based routing is classically greedy-forwarding along with a recoverymechanism to circumvent local optima due to greedy-forwarding, a condition wherethere is no node close to an intermediate node in its neighbourhood than the nodeitself The later part is called the location service Some of the examples of location-service protocols are GLS, DLM, and RLS Interestingly, most location-serviceprotocols including GLS and DLM, rely on the underlying greedy forwardingalgorithm to send and receive control packets like location updates and locationqueries The advantage of these protocols is that nodes need not establish, maintainroutes, and these protocols are more scalable compared to reactive and pro-activerouting protocols.

2.1.2 Vulnerabilities of Mobile Ad hoc Networks

MANETs intrinsically differ from conventional wired networks within the context oftheir properties and a number of drawbacks which make them more prone to securityissues

According to [31], the widespread vulnerabilities of mobile ad hoc networks are as follows:

i Dynamic topology

ii Lack of clear line of defense

iii Limited resources

iv Cooperativeness

v Wireless links

Common vulnerabilities of mobile ad hoc networks are elucidated as follows:

i Dynamic topology: In MANETs, nodes can join and leave the network

dynamically and can move independently [32] Due to such type nature there

is no fixed set of topology works in MANETs The nodes with inadequate physical protection may become malicious node and reduce the network performance

i i Lack of clear line of defense: There is no clear line of defense mechanism

available in the MANETs; attacks can come from any directions Attackers can attack the network either internally or externally

laptops, computers, mobile phones etc Each device has a different storage capacity, processing speed, computational power etc This often attracts attackers to focus on new attacks

i v Cooperativeness: In MANETs, all routing protocols assume that nodes

provide secure communication But some nodes may become malicious nodes and disrupt the network operation by changing routing information [33]

through wireless interface that make them highly susceptible to link attacks

2.1.3 Attacks in MANETs

Protecting mobile ad-hoc networks from attacks is a very challenging task.Nevertheless, understanding possible forms of attacks is in essence, the first step

towards developing high-quality security solutions There are various attacks thattarget the weakness of MANETs Some attacks apply to the broad-spectrum network,

a few apply to wireless network and some are specific to MANETs

These attacks can be classified according to different criteria, such as the domain ofthe attackers, or the techniques used in attacks [34] Hence, the attacks in MANETsare generally categorised into five categories as follows:

i passive vs active attacks

ii internal vs external attacks

iii attacks on different layers of the Internet model,

iv stealthy vs non-stealthy attacks

v cryptography vs non-cryptography related attacks

The sections that follow present the different categories of attacks found in

MANETs

i. Passive vs Active Attacks: Attacks in mobile ad hoc networks can be

classified into two categories, namely passive attacks and active attacks [35].A passive attack obtains data exchanged in the network without

disrupting the operation of the communications, while an active attack involves information interruption, modification, or fabrication, thereby disrupting the normal functionality of a MANET Table 2.1 shows the generaltaxonomy of security attacks against MANET Examples of passive attacks are eavesdropping, traffic analysis, and traffic monitoring Examples of active attacks include jamming, impersonating, modification, denial of service (DOS), and message replay

Table 2.1 Security Attacks Classification

Type of Attack Examples

Passive attacks Eavesdropping, traffic analysis, monitoring

Active attacks Jamming, spoofing, modification, replaying, denial of service

(DOS)

ii. Internal vs External Attacks: Attacks can also be classified into external

attacks and internal attacks, according to the domain of the attacks Some

researchers refer to these attacks as insider and outsider attacks

External attacks are carried out by nodes that do not belong to the domain ofthe network Internal attacks are from compromised nodes which are actuallypart of the network Internal attacks are more severe when compared withoutside attacks since the insider knows valuable and secret information, andpossesses privileged access rights

iii Attacks on Different Layers: Attacks can equally be classified according to

the five layers of the Internet model Table 2.2 presents a classification of

various security attacks on each layer of the Internet model

Table 2.2 Security Attacks on each layer of the Internet Model

Application layer Repudiation, data corruption

Transport layer Session hijacking, SYN flooding

Network layer Wormhole, blackhole, Byzantine, flooding, resource

consumption, Local disclosure attacksData link layer Traffic analysis, monitoring, disruption MAC (802.11) WEP

weaknessPhysical layer Jamming, interceptions, eavesdropping

Multi-layer attacks DOS, impersonation replay, man-in-the-middle

iv Stealthy vs Non-stealthy Attacks: Some security attacks use stealth [39],

whereby the attackers try to hide their actions from either an individual who

is monitoring the system or an intrusion detection system (IDS) But other attacks such as DOS cannot be made stealthy

v Cryptography vs Non-Cryptography Related Attacks: Some attacks are

non-cryptography related, and others are cryptographic primitive attacks Table 2.3 shows cryptographic primitive attacks and the examples

Table 2.3 Cryptographic Primitive Attacks

Cryptographic Primitive Attacks Examples

Pseudorandom number attack Timestamp, Initialisation Vector (IV)Digital signature attack RSA signature

2.1.4 Denial of Service and Distributed Denial of Service Attacks

Among the different attacks that occur on mobile ad hoc networks, distributed denial

of service attacks are fast becoming the most prevalent types of attacks A Denial ofService (DOS) attack is an attack with the purpose of preventing legitimate usersfrom using a specified network resource such as a website, web service, or computersystem [36]

In the same vein, a distributed denial of service (DDOS) attack is an attack wherebymultiple systems join together to target a single system causing a denial of service(DOS) The target node is flooded with the data packets that system shutdowns,

thereby denying service to legitimate users The services under attack are those ofthe "primary victim", while the compromised systems used to launch the attack areoften called the "secondary victims."

Consequently, the use of secondary victims in a DDOS attack provides the attackerwith the ability to wage a much larger and more disruptive attack while remaininganonymous, thereby making it more difficult for network forensics to track down thereal attacker

Individuals or groups responsible for DDOS attacks may be motivated by personal,social or financial benefits Attackers may do so due to personal revenge, gettingpublicity or some political motivation Nevertheless, the financial impact of DDOSattacks on victims can be disastrous In recent past, criminal groups have launched anumber of attacks on stock exchange websites on the entire world A few DDOSattacks reported in years 2011 and 2012 were on NASDAQ & BATS stockexchanges along with Chicago Board Options Exchange (CBOE), New York stockexchange and Hong Kong stock exchange [37]

During the first Q4-2011, one survey found 45% more DDOS attacks compared tothe parallel period of 2010, and over double the number of attacks observed duringQ3-2011 The average attack bandwidth observed during this period was 5.2G bps,which is 148% higher than the previous quarter Another survey of DDOS attacksfound that more than 40% of respondents experienced attacks that exceeded 1Gbps

in bandwidth in 2013, and 13% were targeted by at least one attack that exceeded10G bps From a motivational perspective, recent research found that ideologicallymotivated DDOS attacks are on the rise The research also mentioned financial

reasons as another common reason for such attacks [38].

2.1.4.1 DDOS Attack Taxonomy

There is a broad range of distributed denial of service attacks; however, this researchadopts the taxonomy of the main DDOS attack methods proposed [38] Figure 2.4represents the DDOS attack taxonomy

Figure 2.4 DDOS Attack Taxonomy [38]

There are two main classes of DDOS attacks namely:

I Bandwidth depletion and

II Resource depletion attacks

I Bandwidth Depletion: A bandwidth depletion attack is designed to flood the

victim network with unwanted traffic that prevents legitimate traffic from reaching the primary victim

II Resource Depletion: A resource depletion attack is an attack that is

designed to tie up the resources of a victim system making the victim unable to process legitimate requests for service.

2.1.5 Common Forms of DDOS Attack

In this section, the widespread forms of Distributed Denial of Service (DDOS) attacks are discussed Generally there are five common forms of DDOS attacks namely:

i User Datagram Protocol (UDP) Flood

ii Internet Control Message Protocol (ICMP) Flood

iii Synchronous (SYN) Flood

iv Ping of Death

v Zero-Day DDOS Attacks

I User Datagram Protocol (UDP) Flood: During a User Datagram Protocol (UDP) flood attack, the victim's network is overwhelmed by a large volume

of UDP packets The attack packets are usually with random port numbers When the victim receives a packet, if there is no application listening at the corresponding port, then the victim may generate an ICMP packet of

"destination unreachable" to the sender Thus massive UDP packets to the victim's inactive ports may exhaust both incoming and outgoing capacities

of the victim [7].

II. Internet Control Message Protocol (ICMP) Flood: In an Internet Control

Message Protocol (ICMP) flood attack, the adversary floods ICMP Echo packets to some network which broadcasts these messages to all the hosts

in the network These ICMP Echo packets have the victim's IP address All the hosts who receive the echo packet will send Echo reply packets to the victim, which exhaust the victim's bandwidth Actually, this kind of attack is a mixture of a semantic attack with brute force The way the attack works is based on response mechanism in ICMP However, from the perspective of the victim, it is a brute force, since the type of the attack is just flooding packets from many machines ICMP flood is capable of using up both outgoing and incoming bandwidth, since the victim's servers will often attempt to respond with ICMP Echo Reply packets, leading to a significant overall system slowdown.

II. SYN Flood: In a SYN flood attack, the adversary takes advantage of the

three-way handshake for a TCP connection Within the normal

execution, while a TCP server receives a SYN packet, it opens a session for this new connection and sends back a SYN/ACK packet to the

initiator When it reaches a timeout and there is no ACK packet received from the corresponding initiator, the session will be closed and the corresponding resources for the session are released During the attack, the adversary continues sending SYN packets without sending back the final ACK packets for the TCP handshakes, the server's resource (e.g memory) can be speedily depleted by maintaining many half open

sessions, thus legitimate connection requests cannot be served.

In a SYN flood scenario, the requester sends multiple SYN requests, buteither does not respond to the host's SYN-ACK response, or sends the SYNrequests from a spoofed IP address Either way, the host system continues towait for acknowledgement for each of the requests, binding resources until nonew connections can be made, and ultimately resulting in denial of service.

IV Ping of Death: A ping of death ("POD") attack involves the attacker sending

multiple malformed or malicious pings to a computer The maximum packet length of an IP packet (including header) is 65,535 bytes However, the Data Link Layer usually poses limits to the maximum frame size - for example

1500 bytes over an Ethernet network In this case, a large IP packet is split across multiple IP packets (known as fragments), and the recipient host reassembles the IP fragments into the complete packet In a Ping of Death scenario, following malicious manipulation of fragment content, the recipientends up with an IP packet which is larger than 65,535 bytes when

reassembled This can overflow memory buffers allocated for the packet, causing denial of service for legitimate packets [7]

V Zero-day DDOS Attacks

"Zero-day" DDOS attacks simply refer to unknown or new attacks,exploiting vulnerabilities for which no patch has yet been released The term

is well-known amongst the members of the hacker community, where thepractice of trading Zero-day vulnerabilities has become a popular activity [7]

2.1.6 Security in Mobile Ad hoc Networks

Securing mobile ad hoc networks is particularly challenging, because such networksoften operate in adverse or even hostile environments Hence, designing an effectiveintrusion detection system requires an in-depth understanding of various threatmodels and adversaries' attack capabilities Prior to developing a solution to secure amobile ad hoc network, it is vital to specify the criteria for determining if a mobile

ad hoc network is secure or not In other words, identify the conditions required inorder to attain security in a mobile ad hoc network It is equally pertinent to notethat successful implementation of mobile ad hoc network depends on users'confidence in its security

Normally, there are five common attributes required for securing mobile ad hocnetworks namely: confidentiality, authenticity, integrity and non-repudiation Thesefeatures serve as criteria for assessing if the MANET is secure [40]

i Confidentiality: The term confidentiality refers to the protection of any

information from being exposed to unintended entities [40] In order to attain confidentiality, it is essential that the system stays up and in a working state, and provides the right access and functionality to each user Consequently, confidentiality is the target of DOS or DDOS attacks.

ii Availability: Availability can be described as the ability of the network to

provide services as required This security goal makes certain that services that should be available are accessible whenever required In other words, there should be an assurance of survivability despite the attempt of a denial of service (DOS) attack.

iii. Authentication: Authentication implies the assurance that an entity of

concern or the origin of a communication is what it claims to be or emanates from the claimed source Through the process of authentication, an entity is issued a credential, which specifies the privileges and permissions it has before establishing any form of connection This in turn prevents any form of falsification Without this security mechanism, an attacker would impersonate a node, gaining unauthorised access to resources, sensitive information and eventually interfere with operation of other nodes.

iv.Integrity: The security mechanism which guarantees that the message being

transmitted is never altered is referred to as, integrity

v. Non-repudiation: This security goal ensures that sending and receiving

parties can never deny ever sending or receiving the message This is useful especially when we need to discriminate if a node with some abnormal behaviour is compromised or not On the whole, whenever considering any security issue with respect to a network, it is imperative to ensure these security goals are established for effectiveness

2.2 Agent and Multi-agent Technologies

A software agent is an autonomous entity that can interact with its environment toachieve a specific goal Typically, software agents react with other entities in varioussettings across multiple platforms They are applicable in various fields such as in

teaching, learning, industry, simulation, virtual reality, network security and morerecently, in the software design of intrusion detection systems (IDSs) A multi-agentintrusion detection system is a set of autonomous components which work together

in cooperation to detect intrusions Agents have some special properties such asmandatory and orthogonal properties [41] These properties make the agentsdifferent from the standard software The set properties of agents are as follows:autonomy, reactive, proactive, and temporally continuous Hence, the generalfeatures of agents within the context of an ad hoc network setting are namely:

i Autonomy

ii Reactivity to the environment

iii Pro-active and goal oriented

i Autonomy: Agents can function without any regular initiation from the user

or processes They can start working once initiated by a user or a process

Some of the activities where this feature can be observed are: monitor the

battery life, power requirements to neighbours, reliable neighbours, discoverroutes in anticipation to link breaks, checking intruders, studying legitimateuser behaviour patterns, etc This allows them to operate independently

ii Reactivity to the environment: In line with this feature, the agent must be able to

react to changes in its environment such as: changes in user behaviour change

in neighbours of a node, etc

iii Pro-active and goal oriented: Agents anticipate the changes in the MANET

environment and take appropriate decisions A key factor with agents is thatthey typically have a single task to complete, such as, monitoring userbehaviour, monitoring for a user login, etc This gives the agent a small foot-

print and also make them easier to test, and are more robust.

Generally, mobile agents differ from static agents in terms of mobile property.Hence, a mobile agent is an itinerant agent that is dispatched from a source node thatmigrates from one host to another in the heterogeneous network and executes at theremote host until it accomplishes its task [41] The agent may contain the program,data, and execution state information

Mobile agents and wireless networks are two cutting edge technologies that willprovide enhancements for increased connectivity and communication Mobile agentsare asynchronous, i.e., they do not need permanent network connectivity, which ismore suitable in case of wireless networks since wireless channels are less reliable.Normally, mobile agents can interact with environment by communicating with otherstatic and mobile agents in the network Mobile agents have numerous benefits [42].Some of the common benefits of mobile agents are as follows:

i Reduce the network load

ii Reduce latency

iii Embedded protocols

iv They interact with their environment and adapt themselves

v They move autonomously

Meanwhile, multi-agent systems consist of multiple agents that interact and worktogether to achieve a particular set of tasks or goals [43] The pervasive nature ofsuch systems as a single agent acting on its own are assessed and addressed toachieve a desired objective through regular interaction between distributed agents.Such an objective may include the protection of an international border against

trespassing, timely detection of a bushfire, accurate analysis of traffic of traffic state

of a large metropolis, remote monitoring of a vehicle conveying critical goods fromsource to destination and so forth The outcome of such collaboration betweenmultiple agents is the aggregate property of a system as a whole and not a singleagent [44]

Currently, agent and multi-agent system technologies, methods, and theories arebeing employed in diverse domains [45] These include information retrieval, userinterface design, robotics, electronic commerce, computer mediated collaboration,network security, computer games, education and training, smart environments,ubiquitous computers, and social simulation They are not only very promisingtechnologies, but also emerging as a new way of thinking, a conceptual paradigm foranalyzing problems, designing systems, and dealing with complexity, distributionand interactivity, and perhaps a new perspective on computing and intelligence

2.3 Intrusion Detection System

The term intrusion simply refers to any set of actions that attempt to compromise theconfidentiality, availability or integrity of a resource [46].Furthermore, intrusiondetection can be described as a process of monitoring activities in a system whichcan be a computer or a network Normally, intrusion detection works on the basis ofexamining the activity on a host or network and determining if that activity is normal

or suspicious Consequently, the mechanism that performs intrusion detection isknown as the intrusion detection system (IDS) Generally, intrusion detectionsystems were introduced in order to detect possible violations of a security policy bymonitoring system activities and response For this reason, intrusion detectionsystems are aptly referred to as the second line of defence

2.3.1 Classification of Intrusion Detection Systems

Intrusion detection systems (IDSs) can be categorised based on a number of criteria.Two decisive factors that determine the taxonomy of intrusion detection systems are

as follows:

i Audit data

i i Detection technique

2.3.1.1 Intrusion Detection System Based on Audit Data

Intrusion detection systems are classified based on their audit data as either:

i Host-based intrusion detection system (IDS)

ii Network-based intrusion detection system (IDS)

i Host-based intrusion detection system (IDS): The host-based intrusiondetection system use operating system or application logs in its analysis.They directly monitor the computer on which they run, often through tightintegration with the operating system Audit data from a single host is used todetect intrusions They monitor insiders with the same vigilance as outsiders,and network encryption doesn't affect them But the number and diversity ofcomputers often make it impossible to protect each computer individuallywith a host-based ID system

ii Network-based intrusion detection system (IDS): Network-based intrusiondetection systems capture and analyze packets from the network trafficbetween hosts In this approach, network traffic data, along with audit datafrom one: or more hosts, is used to detect intrusions Unlike host-based IDsystems, which out rightly, detect malicious behaviour, these systems deduce

behaviour based on the content and format of data packets on the network.Among other things, they analyze overt requests for sensitive informationand repeated failed attempts that violate security policy.

Generally, many of the existing host-based and network-based intrusion detectionsystems perform data collection and analysis centrally using a monolithicarchitecture In other words, data is collected by a single host, either from audit trails

or by monitoring packets in a network and analysed by a single module usingdifferent techniques Hence some researchers have identified a number of issues [45]associated with these architectures as follows:

i The central analyzer is a single point of failure;

ii Scalability is limited

i i i It is difficult to reconfigure or add capabilities to the IDS;

i v Analysis of network data can be flawed

2.3.1.2 Intrusion Detection Systems Based on Detection Techniques

On the basis of detection techniques, IDS can also be classified into three categories

as follows [46]:

i Anomaly-based intrusion detection systems

ii Misuse intrusion detection systems

iii Specification-based intrusion detection system

i Anomaly detection systems: The normal profiles of users are kept in the

system The system compares the captured data with these profiles, and thentreats any activity that deviates from the baseline as a possible intrusion byinforming system administrators or initializing a proper response Anomaly

intrusion detection systems have been shown to be effective for unknown ornovel attacks since no prior knowledge about specific intrusions is required.Nevertheless, the main drawback of this approach is that they tend togenerate more false alarms than do misuse detection Another disadvantage

of anomaly detection for mobile computing is that the normal profile must beperiodically updated and the deviations from the normal profile computed.The periodic calculations can impose a heavy load on some resourceconstrained mobile devices; perhaps a lightweight approach that involvescomparatively less computation might be better suited

ii Misuse intrusion detection systems: These systems keep patterns (or

signatures) of known attacks and use them to compare with the captured data.Any matched pattern is treated as an intrusion However, this sort of systemdoes not detect new kinds of attacks

iii Specification-based intrusion detection system: The specification-based

intrusion detection system defines a set of constraints that describe thecorrect operation of a program or protocol Then, it monitors the execution ofthe program with respect to the defined constraints

2.4 IDS Terminologies

Common security terms which are related to intrusion detection techniques are described as follows [47]:

i Vulnerability: Vulnerability is described as a weakness that allows an attacker to

reduce the security of a particular system in a network It is also considered

as an "attack surface"

i Exploit: An exploit is a piece of software or mechanism which takes advantage

of bug or vulnerabilities that exist in the system in order to cause inadvertentbehaviour of the system For instance, if poor passwords are used in networkfor authentication then a password-cracking might be the exploit on suchvulnerability.

i Signature: Signatures are pattern sets which are used by IDS to identify an

unwanted packet A signature is usually created to watch network traffic for aparticular attack or vulnerability

i Alarm: An alarm is considered as a signal generated by IDS in response of

occurrence of an attack

ii Detection rate: The detection rate refers the fraction of all attacks that are

actually detected

i False Alarm: A false alarm is an attack alarm that is triggered incorrectly In

other words, traffic that does not constitute an actual attack

ii False alarm Rate: The false alarm rate (FPR), is the fraction of all normal

data that produces (false) alerts

iii False Negative: A false negative is a term which means no alarm is triggered

if any attack occurs This is one of the worst type of false alarms

iv False Negative Rate: This is the quantity of illegitimate traffic wrongly

detected as malicious

i True Positive: A true positive is a type of alarm that is triggered when the IDS

device has recognized and responded to an attack

xiii True Negative: A true negative implies that an attack had occurred but IDS

had not triggered an alarm

xiv Packet delivery ratio: This is the ratio of the total number of packets

delivered to the total number of packets received in the system