A Survey on Security Issues and Detection Methods in MANET

Abstract- The migration to wireless network from wired network has been a global trend in the past few decades The mobility and scalability brought by wireless network made it possible in many applications Among all the contemporary wireless networks! Mobile Ad hoc NETwork "MANET# is one of the most important and uni$ue applications %n the contrary to traditional network architecture! MANET does not re$uire a fi&ed network infrastructure' In general! routing protocols for MANETs are designed based on the assumption that all participating nodes are fully cooperative (owever! due to the open structure and scarcely available battery)based energy! node misbehaviors may e&ist (owever! the open medium and wide distribution of nodes make MANET vulnerable to malicious attackers This survey paper gives the overview of security issues Also attempt has been made to identify possible detection methods associated with different security issues Keywords: Security MANET! DS*! A%D+! Attack! communication range %therwise! they rely on their neighbors to relay messages Industrial remote access and control via wireless networks are becoming more and more popular these days %ne of the ma,or advantages of wireless networks is its ability to allow data communication between different parties and still maintain their mobility (owever! this communication is limited to the range of transmitters This means that two nodes cannot communicate with each other when the distance between the two nodes is beyond the communication range of their own MANET solves this problem by allowing intermediate nodes to rely data transmission There are two types of MANETsclosed and open ./0 In a closed MANET! all mobile nodes cooperate with each other toward a common goal! such as emergency search1rescue or military and law enforcement operations In an open MANET! different mobile nodes with different goals share their resources in order to ensure global connectivity Some resources are consumed $uickly as the nodes participate in the functions 2attery power is considered to be more importance in a mobile environment An individual mobile node may attempt to benefit from other nodes! but refuse to share its own resources Such nodes are called selfish or misbehaving nodes and their behavior is termed selfishness or misbehavior A selfish node may refuse to forward the data it received to save its own energy (owever! the open medium of MANET is vulnerable to various types of attacks 3or e&ample! due to the nodes4 lack of physical protection! malicious attackers can easily capture and compromise nodes to achieve attacks Attackers can easily insert the malicious or incorporate nodes into

1. INTRODUCTION Mobile Ad hoc NETwork "MANET# is a collection of mobile nodes e$uipped with both a wireless transmitter and a receiver that communicate with each other via bidirectional wireless links either directly or indirectly MANET structure may vary depending on its application from a small! static network that is highly power constrained to a large)scale! mobile! highly dynamic network Every node works both a transmitter and a receiver Nodes communicate directly with each other when they are both within the same

the network to achieve attacks Such misbehaving nodes need to be detected so that these nodes can be avoided by well behaved nodes Many schemes and intrusion detection systems proposed to detect such nodes 2. SECURITY ISSUES IN MANET There are many types of attacks affecting the behavior and performance of MANET Attacks can be classified according to its domain! protocols and means of attack Ad hoc networks have two levels of attacks 3irst level is based on the routing mechanisms used in the network Second level occurs on the security mechanisms in the network and tries to damage them An attack is any attempt to destroy! e&pose! alter! disable! steal or gain unauthori5ed access to or make unauthori5ed use of an asset Attacks in MANET divided into two ma,or types They are Internal attacks E&ternal attacks 2.1 Internal attac s Internal attacks are directly leads to the attacks on nodes presents in network and links interface between them This type of attacks may broadcast wrong type of routing information to other nodes ./60 Internal attacks are sometimes more difficult to handle as compare to e&ternal attacks! because internal attacks arise from more trusted nodes The wrong routing information generated by compromised nodes or malicious nodes are difficult to identify This difficulty occurs due to the compromised nodes! which are able to generate the valid signature using their private keys 2.2 E!ternal attac s E&ternal attacks are attacks launched by adversaries who are not initially authori5ed to participate in the network operations These attacks

usually aim to cause network congestion! denying access to specific network function or to disrupt the whole network operations 2ogus packets in,ection! denial of service! and impersonation are some of the attacks that are usually initiated by the e&ternal attackers E&ternal attacks are classified into two categories- Active and passive attacks 2.2.1 "ass#$e attac s: MANETs are more susceptible to passive attacks A passive attack does not alter the data transmitted within the network 2ut it includes the unauthori5ed 7listening8 to the network traffic or accumulates data from it 9assive attacker does not disrupt the operation of a routing protocol but attempts to discover the important information from routed traffic Detection of such type of attacks is difficult since the operation of network itself doesn4t get affected In order to overcome this type of attacks powerful encryption algorithms are used to encrypt the data being transmitted 2.2.2 Act#$e Attac s: Active attacks are very severe attacks on the network that prevent message flow between the nodes (owever active attacks can be internal or e&ternal Active e&ternal attacks can be carried out by outside sources that do not belong to the network Internal attacks are from malicious nodes which are part of the network! internal attacks are more severe and hard to detect than e&ternal attacks These attacks generate unauthori5ed access to network that helps the attacker to make changes such as modification of packets! DoS! congestion etc The active attacks are generally launched by compromised nodes or malicious nodes Malicious nodes change the routing information by advertising itself as having shortest path to the destination There are many types of active attacksA% Mod#&#cat#on attac s:

This attack modifies the packets and degrades the overall communication performance of the network A malicious node gets the routing information from the packet and uses it for further attacks in future E&ample for such attack is sinkhole attack In this attack! a malicious node advertises itself! as it has the shortest path to the receiver '% Dro((#n) attac s: In this attack! packets received by the selfish nodes are dropped to prevent the end)to)end communication C% T#*#n) attac s: In this attack! attacker advertises itself! as it is closer to the actual node to attract other nodes in the network *ushing and hello flood attacks uses this type of attacks 2.+ Attac s at A((l#cat#on ,ayer Application layer contains user data and supports many protocols like (TT9! 3T9 :orm attacks! mobile viruses and repudiation attacks are e&amples of application attacks 1% Mal#c#o-s code attac Malicious code attack includes viruses! worms! spywares and tra,on horses These can attack both operating system and user application 2% Re(-d#at#on attac s: *epudiation means denial of participation in part or all of the communications 3or e&ample a selfish person may deny on the received product or may deny the online bank transaction +% .or* attac s: In the network! malicious programs widely spread A worm can e&ploit in different ways %ne such e&ample is I9 address scanning used by internet worm These techni$ues generate probe

packets to a vulnerable T;91<D9 port at many different I9 addresses (osts respond to the scan gets hit! receives a worm copy and gets affected E&ample for this worm is ;ode *ed :orm 2./ Attac s at networ layer Network layer is attacked by variety of attacks 2y attacking the network protocol! the attacker knows the traffic pattern! enter into the routing path between the source and destination and can control the network traffic flow 1% Ro-t#n) d#sco$ery attac : *outing attacks target the route discovery or maintenance phase by not following the rules of routing protocols *outing message flooding attacks such as! hello flooding attacks! acknowledgement flooding attacks! routing table overflow and **E= flooding are targeting the routing discovery phase ># Ro-t#n) ta0le o$er&low: 9roactive routing algorithm updates the routing information periodically Malicious attacker advertises the routes to non)e&istent nodes as authori5ed nodes in the network 9roactive algorithms are more vulnerable to the routing table overflow! because it discovers the information before it is actually needed An attacker simply sends e&cessive routing advertisements to overflow the routing table +% Ro-t#n) Ma#ntenance attac : *oute maintenance phase is attacked by sending false control messages! such as link broken error message It causes route repairing or invocation of the costly maintenance of route 3or e&ample! A%D+ and DS* implement path maintenance procedures to recover broken paths If the destination node or an intermediate node along an active path moves! the upstream node of the broken link broadcasts a route error message to all active upstream neighbors The node also

invalidates the route for this destination in its routing table Attackers could take advantage of this mechanism to launch attacks by sending false route error messages /% Data &orward#n) attac s Some attacks target the data forwarding phase A malicious node participates in the route discovery and maintenance phase but refuse to forward the packets Instead of forwarding the packets it simply drop the packet! modifying the contents or flood data packets They can also delay forwarding the time sensitive packets 1% Ro-t#n) (rotocol attac s In this attacks target the routing protocols used in the network 3or e&ample! in DS*! attacker modifies the source route listed in the **E= or **E9 packets It can insert a new node into the list! delete the node or change the order of the nodes in the list In A%D+! attacker can change the route distance to small than actual value 2% Ot3er ad$anced attac s 2lack hole Attack In black hole attack! a malicious node uses its routing protocol in order to advertise itself for having the shortest path to the destination node or to the packet it wants to intercept This hostile node advertises its availability of fresh routes irrespective of checking its routing table In this way attacker node will always have the availability in replying to the route re$uest and thus intercept the data packet and retain it :ormhole attack In this attack! attacker uses private tunnel to forward the data The tunnel between to attackers is referred as wormhole In this it records packets at one location and forward them using tunnel to another location Network is disrupted by tunneling ii# i#

the control messages If it is used in routing protocols such as DS* or A%D+! it prevent route discovery other than through the wormhole 2y5antine attack A compromised node or a group of compromised nodes working together and carry out attacks to disrupt the routing services The attacks may include create routing loops or selectively dropping packets *ushing attack This attack is proposed by (u et al In route discovery! **E= forwarded by attacker is first reach the neighbor of target The routes obtained by this **E= include the attacker The attacker can $uickly forward the **E= than the legitimate user and this attacker is included in all the discovered routes iv# iii#

3ig *ush Attack *esource consumption attack An attacker or a compromised node can attempt to consume battery life by forwarding unnecessary packets or re$uesting e&cessive route discovery ?ocation disclosure attack An attacker first gathers information such as route map and then reveals the structure of the network or location of nodes in the network vi# v#

Attacker tries to figure out communicating parties! analy5e the traffic to know the traffic pattern and track changes in the traffic pattern 2.1 Attac s at (3ys#cal layer These attacks are hardware oriented and need help from hardware sources to effect It is simple to e&ecute and do not need complete knowledge about technology 1% Ea$esdro((#n) In means interception and reading of messages and conversations by unintended receivers :ireless communication is easily intercepted with correct receiver fre$uency Main aim is to get the confidential information such as private key! public key and passwords This can be eavesdropped by tapping the communication lines

2.2 Attac s at trans(ort layer 1% SYN &lood#n) attac s It is a Denial of Service "DoS# type of attacks! in which attacker creates a large number of half opened T;9 connection with victim node It never completes the handshake to fully open the connection 2% Sess#on 3#5ac #n) In this an attacker takes advantage of unprotected session after its initial step It spoofs victims I9 address and predict the correct se$uence number! the one which is e&pected by the target node and launches various types DoS attacks In this attack malicious node tries to discover password! secret keys logon names and other information from nodes +. DETECTION MET6ODS Due to the limitations of MANET protocols nodes in MANET assumes that other nodes will always cooperate with each other to relay the data This is enough to the attackers to perform the attack using some compromised nodes To avoid this problem some IDS should be added to enhance the security level of the MANET IDS can act as a second layer in the MANET If MANET can detect attacker as soon as they enter the network! we will able to eliminate the damages completely +.1 Re(-tat#on70ased sc3e*es In this scheme the network nodes collectively detect and declare the misbehaviors of a suspicious node This declaration is propagated through the network to avoid those nodes in future routing 1% watc3do) This scheme is proposed to improve the throughput of the network in the presence of

3ig Eavesdropping 2% 4a**#n) It is a DoS type of attack! initiated by malicious or attacker node after finding the fre$uency of communication In this type of attack ,ammer transmits signal with security threats and it also prevents reception of legitimate packets +% Act#$e #nter&erence It is also a denial of service attack which blocks the wireless communication Attacker can change the order of messages or replay old messages The effect of such attack depends on the duration and routing protocol in use

malicious nodes This scheme consists of two parts watchdog and pathrater :atchdog is responsible for detecting the malicious node misbehaviors in the network It detects the misbehavior by overhearing the ne&t hop transmission It maintains the sent packets in the buffer A packet in the buffer is cleared when it overhear the ne&t hop successfully transmit the same packet over the medium If a data packet remains in the buffer for too long! the watchdog module accuses the ne&t hop neighbor of misbehaving Thus! the watchdog enables misbehavior detection at the forwarding level as well as the link level If a :atchdog node overhears that its ne&t node fails to forward the packet within a certain period of time! it increases its failure counter :henever a node4s failure counter e&ceeds a predefined threshold! the :atchdog node reports it as misbehaving In this case! the 9athrater cooperates with the routing protocols to avoid the reported nodes in future transmission The pathrater module rates every path in its cache and subse$uently chooses the path that best avoids misbehaving nodes 2% CON8IDANT The ;%N3IDANT protocol proposed by 2uchegger and ?e 2oudec in is another e&ample of reputation)based schemes The protocol is based on selective altruism thus making misbehavior unattractive ;%N3IDANT consists of four important components@the Monitor! the *eputation System! the 9ath Manager! and the Trust Manager They perform the vital functions of neighborhood watching! node rating! path rating! and sending and receiving alarm messages! respectively Each node continuously monitors the behavior of its first)hop neighbors If a suspicious event is detected! details of the event are passed to the *eputation System Depending on how significant and how fre$uent the event is! the *eputation System modifies the rating of the suspected node %nce the

rating of a node becomes intolerable! control is passed to the 9ath Manager! which accordingly controls the route cache :arning messages are propagated to other nodes in the form of an Alarm message sent out by the Trust Manager The Monitor component in the ;%N3IDANT scheme observes the ne&t hop neighbor4s behavior using the overhearing techni$ue This causes the scheme to suffer from the same problems as the watchdog scheme Each node maintains a data structure StatusiA,B about every other node , as an indication of what impression node i have about node , Along with a credit counter! node i also maintains lists of nodes to which node , will and will not provide service Every node periodically broadcasts relevant information in the form of a self)state message %ther nodes update their own lists based on the information contained in these self)state messages +.2 Cred#t 0ased sc3e*es Coal of credit based schemes is to provide the incentives to the nodes faithfully performing network functions To facilitate this payment system is set up Nodes get paid for providing services to other nodes The concept of nuggets "also called beans# is used as payments for forwarding packets Two models proposed for thisthe packet purse model and the packet trade model In packet purse model nuggets are loaded into packet before it is sent The sender puts certain number of nuggets into the data packet to be sent Each intermediate node earns nuggets in return for forwarding the packet if the packet e&hausts its nuggets before reaches its destination! then it is dropped In the 9acket Trade Model! each intermediate node 7buys8 the packet from the previous node for some nuggets and 7sells8 it to the ne&t node for more nuggets Thus! each intermediate node earns some nuggets for providing

the forwarding service and the overall cost of sending the packet is borne by the destination +.+ Ac nowled)e*ent 0ased sc3e*es There are several schemes that use end)to) end acknowledgments "A;Ds# to detect routing misbehavior or malicious nodes in wireless networks The acknowledgements packets are sent by the receiver node to the sender node to notify the reception of data packets up to the some locations of the continuous data stream The Selective acknowledgement scheme is used to acknowledge out of order data blocks 1% 2ACK This scheme differs from the A;D and SA;D schemes used in T;9 protocol >A;D scheme aiming to resolve the receiver collision and limited transmission power problems T:%A;D detects misbehaving links by acknowledging every data packet transmitted over every three consecutive nodes along the path from the source to the destination <pon retrieval of a packet! each node along the route is re$uired to send back an acknowledgment packet to the node that is two hops away from it down the route T:%A;D is re$uired to work on routing protocols such as Dynamic Source *outing "DS*# >A;D detects misbehaving links by acknowledging every data packet transmitted over every three consecutive nodes along the path from the source to the destination <pon retrieval of a packet! each node along the route is re$uired to send back an acknowledgment packet to the node that is two hops away from it down the route Source send data packet to receiver *eceiver generates the >A;D packet back to sender *etrieval of >A;D packet within a predefined time period indicates successful transmission otherwise

both destination and intermediate nodes are reported as malicious 2% T.OACK The proposed T:%A;D scheme serves as an add)on techni$ue for routing schemes to detect routing misbehavior and to mitigate their adverse effect It is used to detect some selfish nodes will participate in the route discovery and maintenance processes but refuse to forward data packets T:%A;D scheme send two)hop acknowledgment packets in the opposite direction of the routing path The T:%A;D scheme detects misbehavior through the use of a new type of acknowledgment packet! termed T:%A;D A T:%A;D packet is assigned a fi&ed route of two hops "three nodes# in the opposite direction of the data traffic route T:%A;D transmission takes place for every set of triplets along the route Therefore! only the first router from the source will not serve as a T:%A;D packet sender The last router ,ust before the destination and the destination will not serve as T:%A;D receivers T:%A;D detects misbehaving links by acknowledging every data packet transmitted over every three consecutive nodes along the path from the source to the destination <pon retrieval of a packet! each node along the route is re$uired to send back an acknowledgment packet to the node that is two hops away from it down the route Source send data packet to receiver *eceiver generates the T:%A;D packet back to sender *etrieval of T:%A;D packet within a predefined time period indicates successful transmission otherwise both destination and intermediate nodes are reported as malicious The T:%A;D scheme successfully solves the receiver collision and limited transmission power problems +% AACK It is an acknowledgement based scheme which can be considered as a combination of

scheme called TA;D "identical to T:%A;D# and an end)to)end acknowledgement scheme called A;Dnowledge "A;D# The source node sends out 9acket / without any overhead e&cept > b of flag indicating the packet type All the intermediate nodes simply forward this packet :hen the destination node receives 9acket /! it is re$uired to send back an A;D acknowledgment packet to the source node along the reverse route :ithin a predefined time period! if the source node receives this A;D acknowledgment packet! then the packet transmission from source node to destination node is successful %therwise! the source node will switch to TA;D scheme by sending out a TA;D packet Misbehaving nodes that e&hibit abnormal behaviors can disrupt the network operation and affect the network availability by refusing to cooperate to route packets due to their selfish or malicious behavior This paper proposes a novel intrusion detection system! which is an adaptive acknowledgment scheme "AA;D# with the ability to detect misbehaved nodes and avoid them in other transmissions The aim of AA;D scheme is to overcome watchdog weaknesses due to collisions and limited transmission power and also to improve T:%A;D scheme The concept of adopting a hybrid scheme in AA;D greatly reduces the network overhead The functions of such detection schemes all largely depend on the acknowledgment packets (ence! it is crucial to guarantee that the acknowledgment packets are valid and authentic AA;D reduces the network overhead than the T:%A;D scheme while maintaining the same network throughput /% EAACK Another acknowledgement based intrusion detection system named EAA;D)Enhanced Adaptive A;Dnowledgment is specially designed for MANETs to detect the attackers EAA;D is an acknowledgment)based IDS This scheme makes

use of digital signature It re$uires all acknowledgment packets to be digitally signed It reduces the packet dropping attack' it is the ma,or security threat In case of limited transmission power! receiver collision! false misbehavior rate EAA;D is a preferred IDS than the e&isting approaches EAA;D have E parts- A;D! S)A;D! and M*A 3irst destination sends an acknowledgement packet to the source :ithin a predefined time period source receives the acknowledgement then transmission of packet is successful %therwise it will switch to S)A;D mode Every three consecutive nodes work in a group to detect misbehaving nodes 3or every three consecutive nodes in the route! the third node is re$uired to send an S)A;D acknowledgment packet to the first node To initiate the M*A mode! the source node first searches its local knowledge base and seeks for an alternative route to the destination node If there is no other that e&ists! the source node starts a DS* routing re$uest to find another route It detects the malicious nodes despite the e&istence of the false misbehavior report by the help of M*A scheme This system uses the digital signatures to authenticate the acknowledgement packets Digital signatures prevent the acknowledgement packets to be forged The sender of the acknowledgement packet must sign the packet and after the reception of the packet receiver will verify the authenticity of the packet /. CONC,USION MANET has a dynamic infrastructure and having no centrali5ed administration makes such network vulnerable to many attacks It needs high level of security compared to wired networks In this survey different security attacks in communication and different layers is studied And also it analyses the different detection schemes used to detect and evict such attacks In future we e&tend the detection mechanisms in order to detect more

vulnerable attackers and malicious nodes in the network to improve the network performance and verifying it using the simulation methods 1. RE8ERENCES / Elhadi M Shakshuki! Nan Dang! and Tarek * Sheltami! 7EAA;D) A Secure Intrusion Detection System for MANETs8 IEEE trans +ol F6! no E! MA*! >6/E > S Marti! T G Ciuli! D ?ai! and M 2aker! 7Mitigating routing misbehavior in mobile ad hoc networks!8 in Proc. 6th Annu. Int. Conf. Mobile Comput. Netw., 2oston! MA! >666! pp >HHI>FH E D ?iu! G Deng! 9 D +arshney! and D 2alakrishnan! 7An acknowledgment)based approach for the detection of routing misbehavior in MANETs!8 IEEE Trans. Mobile Comput., vol F! no H! pp HEFIHH6! May >66J K N Nasser and L ;hen! 7Enhanced intrusion detection systems for discovering malicious nodes in mobile ad hoc network!8 in Proc. IEEE Int. Conf. Commun., Clasgow! Scotland! Gun >KI>M! >66J! pp //HKI//HN H T Sheltami! A Al)*oubaiey! E Shakshuki! and A Mahmoud! 7+ideo transmission enhancement in presence ofmisbehaving nodes inMANETs!8 Int. J. Multime ia !"st., vol /H! no H! pp >JEI>M>! %ct >66N F G Al)Garoodi! 7Security Issues in :ireless Mobile Ad (oc Networks at the Network ?ayer!8 #ni$ersit" of Nebras%a-&incoln! 'ept. of Computer !cience an En(ineerin(, Technical )eport T)*+,*-*-! November >66> D San5giri! 2 Dahill! 2 N ?evine! ; Shields J 2ing :u! Gianmin ;hen! Gie :u! Michaela ;ardei! 7A Survey on Attack and ;ountermeasures in Mobile Ad (oc Networks8 .ireless/Mobile !ecurit", !prin(er., 66F M Giahong :eng 7Security Attacks in Mobile Ad (oc Networks) A Survey8