INTRUSION DETECTION OF IN-BAND WORMHOLES IN MANETS USING ADVANCED STATISTICAL METHODS Shanshan Zheng, Tao Jiang, John S. Baras University of Maryland College Park College Park, MD 20742 Anuja Sonalker and Dan Sterne Richard Gopaul and Rommie Hardy SPARTA, Inc. U.S. Army Research Laboratory Columbia, MD 21046 Adelphi, MD 20783 ABSTRACT Due to the dynamics and mobility of mobile ad hoc networks (MANETs), intrusion detection techniques in MANETs must be adaptive. In this work, we propose detec- tion schemes that are suitable to detect in-band wormhole attacks. The first detection scheme uses the Sequential Probability Ratio Test (SPRT). The SPRT has been proven to be an optimal detection test when the probability distri- butions of both normal and abnormal behaviors are given. Furthermore, we introduce non-parametric methods, which require no training and are more adaptive to mobile sce- narios. The proposed detection schemes are implemented and evaluated using a 48-node testbed and a mobile ad- hoc network emulator at the Army Research Lab. The performance and detection accuracy of various schemes are compared, especially in the presence of congestion. We provide tradeoffs analyses among detection latency and probabilities of false alarms and missed detection. INTRODUCTION Mobile ad-hoc networks (MANETs) will be widely used in future battlefields where no network infrastructure exists. MANETs rely on collaboration of nodes for almost all their functions. Therefore, collaborative attacks by compromised nodes are seriously disruptive to core MANET functions like routing, etc. In this paper, we focus on one specific type of collaborative attacks on MANET routing - the wormhole attack. In physics, a wormhole is a hypothetical shortcut through space and time that connects two distant regions. In cyber security, the term wormhole was recently adopted [1] to describe an attack on MANET routing protocols in which colluding nodes create the illusion that two remote regions are directly connected through nodes that appear to be neighbors, but are actually distant from one another. The illusory shortcut is created by connecting the purported neighbors using a covert communication mechanism. The wormhole undermines shortest path routing calculations, 978-1-4244-2677-5/08/$25.00 2008 IEEE allowing the attacking nodes to attract and route traffic from other parts of the network through them. The worm- hole thus creates two artificial traffic choke points that are under the control of the attacker and can be utilized at an opportune future time to degrade or analyze traffic. This paper deals with in-band wormholes, which covertly connect the purported neighbors via multihop tunnels through the primary link layer. In-band wormholes are important for several reasons. First, because they do not re- quire additional specialized hardware, they can be launched from any node in the network; as a result, they may be more likely to be used by real adversaries. Second, unlike out-of-band wormholes[1], [2], which actually add channel capacity to the network, in-band wormholes continually consume network capacity (i.e., waste bandwidth) thereby inherently causing service degradation. There are a couple of challenges unique to detecting in-band wormhole attacks in MANETs. First, the detector needs to be able to effi- ciently correlate individual actions across nodes in order to identify and localize the attack. Second, the detector should be able to localize and detect an ongoing attack with minimum delay because of dynamics of MANETs and fast reaction to attacks required in battlefields. In this paper we extend the work presented in [3], [4] by implementing a Sequential Probability Ratio Test (SPRT) based intrusion detection system (IDS) and evaluating it using a 48-node testbed and a mobile ad-hoc network emulator at the Army Research Lab. Furthermore, we in- troduce non-parametric methods, which require no training and are more adaptive to mobile scenarios. We study the detection accuracy of these detection methods, especially in the presence of traffic congestion. Tradeoff analyses among detection latency and probabilities of false alarms and missed detection are also presented in this paper. RELATED WORK Several approaches have been proposed in the literature to defend wormhole attacks in wireless ad hoc networks. Hu et al. proposed in [1] to add information to a packet 1 of 7 Authorized licensed use limited to: University of Maryland College Park. Downloaded on August 5, 2009 at 14:21 from IEEE Xplore. Restrictions apply.