A novel support vector machine based intrusion detection system for mobile ad hoc networks Erfan A. Shams 1 • Ahmet Rizaner 2 Ó Springer Science+Business Media New York 2017 Abstract The performance of mobile ad hoc networks (MANETs) is significantly affected by the malicious nodes. One of the most common attacks in MANETs is denial of service (DoS); a type of intrusion specifically designed to target service integrity and availability of a certain network node. Hence, it is important to use an efficient intrusion detection system (IDS) that detects and removes the malicious nodes in the network to improve the performance by monitoring the network traffic continuously. The main contribution of this paper is the integration of an IDS into MANETs as a reliable and potent solution. A new approach to intrusion detection is developed based on support vector machine algorithm. The proposed IDS can detect the DoS type attacks at a high detection rate with a simple structure and short computing time. It is shown by extensive com- puter simulation that the proposed IDS improves the reli- ability of the network significantly by detecting and removing the malicious nodes in the system. The perfor- mance of the suggested approach is independent of the network routing protocol. The detection rate of the system is also not effected by node mobility and network size. Keywords Support vector machines Á Denial of service Á Intrusion detection Á Mobile ad hoc networks Á Machine learning 1 Introduction Network anomalies are often present in any type of mobile ad hoc network (MANET), stemming from its dynamic and infrastructure-less nature [1]. There are various reasons related to those anomalies, such as malfunctioning network equipment, network congestion or intrusions and active attacks. Intrusion is an acute type of anomaly that targets the service integrity and availability of the network [2–5]. Denial of service (DoS) attack is one of the most well- known types of network intrusions, intended for degrada- tion in the service provided by a specific target to other legitimate users [6–9]. DoS attacks fall into several cate- gories such as Wormhole, Blackhole, Grayhole and Flooding [3–5, 10, 11]. Each exploiting a different security breach in the network and affecting factors such as traffic flooding, connection interruption, blocking access or sys- tem disruption in the wireless system [12]. The first three mentioned attacks affect the routing behavior of the system by falsifying and altering routing paths. However, flooding attacks, unlike the other methods, directly target a network member by sending high rates of false data or control packets. It is shown in [13] that a flooding type attack can decrease the packet delivery ratio up to 84%. User Data- gram Protocol (UDP) flooding attack [14] is a data flooding attack in which the designated target is overwhelmed by the continuous rate of data traffic, with higher bit rate and packet size than usual. This can be achieved since UDP is a connectionless protocol without any type of flow control [12]. Intrusion detection systems (IDS) are designed to detect and act against network violations through monitoring and identifying anomalies. Therefore, to ensure the availability and integrity of the network services, it is urgent to have such systems implemented and maintained successfully & Ahmet Rizaner ahmet.rizaner@emu.edu.tr 1 Department of Mathematics and Computer Science, Faculty of Arts and Sciences, Eastern Mediterranean University, via Mersin 10, Famagusta, North Cyprus, Turkey 2 Department of Information Technology, School of Computing and Technology, Eastern Mediterranean University, via Mersin 10, Famagusta, North Cyprus, Turkey 123 Wireless Netw DOI 10.1007/s11276-016-1439-0