Misbehavior detection in mobile ad hoc networks
using Artificial Immune System approach
Md Shamsher Alam Ansari
Department of Computer Engineering
Aligarh Muslim University
Aligarh, India
shamsher.amu04@gmail.com
Abstract— Application of Artificial Immune System (AIS)
evolves as a key Artificial Intelligence concept for
detecting misbehavior, ensuring security, detecting faults
and performing data mining in Mobile ad hoc Networks
(MANETs). Recognition of misbehaving nodes is a must
for proper functioning of a MANET. AIS approach has a
unique feature of learning which is absent in other
techniques (e.g. reputation system). Danger Signal and
Clonal Selection are the key techniques of AIS for
misbehavior detection. Different types of misbehavior
occur in MANETs, and then at different network layers-Physical, Data Link, and Network. In this paper we
investigate and detect misbehavior at Network Layer. We
performed experiment using the concepts of danger signal
and clonal selection of AIS. Result of the misbehavior
detection system depends on the way we use the danger
signal for misbehavior detection. We propose an
enhancement in the misbehavior detection using proper
handling of danger signal. We compare our proposed
concept of misbehavior detection with existing concepts.
We show the experimental results showing the
improvement in performance of AIS for misbehavior
detection.
Keywords- MANET, AIS, DSR, Ns2, Danger Signal, Clonal
selection
I. INTRODUCTION
Application of wireless technology is growing because of its
easiness in deployment. In scenarios where infra structure
stands destroyed, such as at the time of natural disasters, or
where infrastructure does not exist at all, such as in battle
fields or uninhabited terrain, Mobile Ad Hoc Networks
(MANETs) [1] have emerged as new and more useful type of
wireless networks. Conventional networks (wireless or not)
generally rely on a fixed support infrastructure, such as routers
and switches, to enable data communications. On the other
hand mobile ad-hoc networks are self organized networks
without any fixed infrastructure other than end-user terminals,
such as laptops, having wireless support. Communication
beyond the transmission range is made possible by having all
nodes act both as terminals and as routers. These networks can
be easily and quickly formed, on demand, for specific tasks
and mission support.
As we know human immunity protects our body from
different diseases caused by viruses, bacteria, and fungi, etc.
This work is sponsored in part by the Council of Scientific and Industrial
Research, New Delhi under grant No. 23(0016)/10/EMR-II.
M. Inamullah
Department of Computer Engineering
Aligarh Muslim University
Aligarh, India
inamullah.m@gmail.com
In a similar manner Artificial Immune System (AIS) has been
developed that uses the features of natural immune system and
protects the system from external world from different
discrepancy.
Application areas of AIS are broad. Some application
areas include Data mining, misbehavior detection, fraud
detection, etc. Our goal is to apply the concept of Artificial
Immune System [2] in finding the misbehavior in wireless
Mobile Ad hoc Network [1]. In wireless mobile Ad hoc
networks each node (mobile phone, mobile PC, etc.)
cooperates and provides services to each other. Nodes act both
as terminals and information relays and participates in a
common routing protocol to provide multi-hop radio
communication. MANET is vulnerable to routing misbehavior
due to faulty, selfish or malicious nodes. Misbehavior creates
obstacle in healthy communication, or even blocks the entire
network communication in some situations. Misbehavior
detection systems works in a way to remove this vulnerability.
For comparison purpose we simulated and compared between
two approaches. In the first approach the clonal selection of
[4] is not used for misbehavior detection. Since the purpose of
clonal selection is to refine the antibody and make it closer to
the antigen that results in misbehavior. Such misbehavior
detection system loses its strength for misbehavior detection.
In the second approach clonal selection of [4] is considered
for misbehavior detection. That is why its result is better than
that of the approach that does not use clonal selection.
In this work we improve upon the work of second
approach [3], mentioned above, by using the danger signal in
bone marrow. In our approach the sole objective is to refine
antibody at its origin place (bone marrow) at the antibody
generation time. Here in the bone marrow every randomly
generated antibody closely resembles some antigen that could
harm the network. Clonal selection process further refines
these antibodies. Thus we get antibody that is more effective
than those generated through the second approach [3]. This
approach causes less false positive detection than the above
mentioned two approaches. NS2 simulator [5] is used for the
simulation of experiment.
Subsequent sections of this paper provide information
as follows. Sections II and III are a sort of literature survey. In
section II, after giving a brief introduction to MANETs, we
present a discussion of vulnerabilities the MANETs are prone
to. In section III we discuss human and natural immune
systems. Then in section IV we describe the implementation
of AIS, and discuss our proposed enhancement in section V.
We display our results in section VI, and conclude the paper
in section VII.
II. VULNERABILITIES IN MANET
The MANET can be used as a communication support in the
battle field, as an assistance to rescue operations during
natural hazards, as a support for search and survey operations
in inhospitable terrain, as a vehicular network, and as mobile
sensor network etc. The functionality of MANET is affected
by the way in which its nodes operate. In addition to the
vulnerabilities of their wired counterparts, they face their own
security risks. Each node is potentially a part of a support
system, collaborating with others to provide basic
communication services to its neighbors. In such cases,
individual nodes' vulnerabilities and misbehavior can directly
affect the network performance. Faulty software or hardware,
bad intention, or the intention to the save battery power, are
some of the possible reasons of a node’s misbehavior. In
MANETs one cannot provide a defense mechanism at the
boundaries, as the boundaries are not well-defined for these
networks. Similarly there are no fixed infra-structure
apparatus, where one could think of taking the security-related
steps. The MANETs have shared medium of communication,
and network operations such as routing are carried out
collaboratively. The network is dynamic in nature; the
network size and topology as well as the node configuration
are susceptible to change anytime. These key characteristics
differentiate MANETs from wired network, and MANETs
experience a new set of performance and security challenges
[6]. Since we are dealing with network layer vulnerabilities
therefore it will be more suitable to explain network layer
vulnerability.
Network Layer vulnerabilities
Network layer in MANETs provides data routing and
packet forwarding services among nodes: each node
voluntarily serves as a data router and packet forwarder. That
is why each node in MANET also runs routing protocol.
Routing protocols are generally classified in groups of
reactive and proactive protocols. In proactive routing
protocols nodes broadcast periodic beacons to proactively
update routing table information at each node. On the other
hand reactive routing protocols do not update routing table
spontaneously; the route discovery is initiated only when a
packet transmission requires a route. Discovered routes to a
destination are cached for some time, and are used for
transmissions to the same destination in near future. Malicious
manipulation of route advertisements, injection of false or
incomplete information, routing table overflow, network
flooding, wormhole attacks in which the malicious node
advertently tunnels the traffic through a path that is hidden to
the source or destination, and black-hole attacks wherein the
attacking node drops the packets it was supposed to forward,
are some of the attacks in MANETs. To prevent routing
attacks many techniques are proposed. Some use encryption at
the protocol and node levels whereas others use information
correlation between multiple nodes [6].
Biologically inspired techniques, though still a matter
of debate among researchers of security, have been used for
many optimizations [2, 6, 7], especially their concept of
differentiation between cells as self or nonself. It is predicted
that as the security-requirements of systems become clearer
the artificial immunity techniques will become embedded in
the system itself, and will help detect anomaly in a more
elaborate and balanced way [6].
III. THE HIS AND THE AIS
An artificial immune system (AIS) [3, 8] is a computational
model of Human immune system [9] that incorporates many
properties of natural immune systems, including diversity,
distributed computation, error tolerance, dynamic learning and
adaptation and self-monitoring. AIS can be applied to security
in computing and networking systems where it maintains
proper state of the system by detecting misbehavior by any
component of the system maintaining low false positive rates.
The natural (Human) immune system (HIS) is highly
complicated and precisely tuned to eliminate the problem of
detecting and eliminating infections. In natural immune
system, every species outside the body is referred to as a
nonself or foreign cell and a cell of the body as a self cell. In
summary, when a foreign cell enters the body, the immune
system of the body recognizes it from its structure and the
chemical bonding between its immune cell and the foreign
cell. The immune cell, called lymphocyte, has hundreds of
identical receptors that bind to the surface of the pathogen.
The binding occurs in the form of chemical binding and
charge. The surface of pathogens is covered by a protein
called antigen and, similarly, that of immune cells by
antibody. The antibodies are generated in the bone marrow
and are first processed for self tolerance, where all those
antibodies that bind self cells are destroyed, so that it could
not affect the self cell of the body [9].
The HIS has many properties [11] (e.g., its diversity,
its being distributed and dynamic, its error tolerance, its
ability to self-monitor, and its adaptability), that can help
improve artificial systems. Certain unique qualities (viz.,
robustness, adaptivity and autonomity) of the natural immune
systems directly result from these properties, which are
currently not available in most artificial systems. Hofmeyr and
Forrest [11] discuss the properties and the resulting
characteristics of the immune systems in detail.
In the next section we discuss implementation of
node-misbehavior detection at the network layer, when
malicious node forwards the route request packet but does not
forward data packet. We use the mapping between HIS and
AIS elements as proposed by Boudec and Sarafijanovic in [3]
and we improve upon the detection phase.
IV. IMPLEMENTATION
Since Artificial Immune system (AIS) is completely based on
Human Immune system (HIS), in designing the AIS, the first
task is to map the HIS parameters to the activities in MANET.
As we are using Dynamic Source Routing (DSR) Algorithm
and capturing nodes’ activity in MANET, each element in
MANET and the DSR protocol events of a node are mapped
onto HIS elements. Since the mapping affects the accuracy in
detection process of AIS. One of the key design challenges of
AIS is to define a suitable set of efficient genes [2]. Gene
forms the basis for deciding whether a node misbehaves.
Genes of a node in a MANET can be thought of as the
description of the performance, the node observes, of neighbor
nodes and the network.
Based on the description of AIS and HIS in [3], we
summarize the correspondence between the two in Table1.
HIS Elements
Body
Self cells
Non self cells
Gene
Antigen
Antibody
Chemical Binding
Bone Marrow
(protected environment)
Negative selection
MANET Elements
The Entire mobile adhoc Network
Well behaving Nodes
Misbehaving Nodes
Number of sub-patterns
in a sequence of protocol
events
Sequence of genes
Pattern same as that of
antigen (randomly
generated)
Matching Function
(binding of antigen with
antibody)
Network with certified
nodes who do not
misbehave
Negative selection block
Table 1: Correspondence of HIS and AIS terms
Antigen Mapping
Antigen is represented as a pattern of observed
protocol events [3]. Event patterns and their timing describe
the behavior of a node, and the goal is to find out if this
behavior is wrong. Protocol events for neighbors are captured
for a time interval each the 10sec.
For a monitored node one data set consists of
protocol events recorded during one time interval of duration
Δt seconds (e.g. 10 sec), with the condition of maximum Ns
events per a data set (Ns = 40). The collected Data sets are
then transformed. The first step is the mapping of protocol
events to a finite set of primitives. Each of them is identified
with symbols [3].
For simulation, we used the following primitives as
discussed by Boudec and Sarafijanovic in [3]. These
primitives typically denote the events generated at the
monitored node, when a packet originating at other nodes is
received at the monitored node.
a= RREQ sent
b= RREP sent
c= RERR sent
d= DATA packet sent
e= RREQ received
f= RREP received
g= RERR received
h= DATA packet received
Using the above defined primitives the collected data set is
represented as a sequence of symbols (primitives) [3]. For
example:
L1 = (eeaeeeaeebeaeehdhdh, hdhdhdhdhdhdhdhdhdh, ...).
In the second step a gene is defined [3]. Genes are used for
matching purpose. We use the following list of [3].
Gene 1 = NUM(e) in sequence
Gene 2 = NUM((e*(a+b))) in sequence
Gene 3 = NUM(h) in sequence
Gene 4 = NUM((h*d)) in sequence
Where NUM(“string”) represents the number of occurrences
of “string” in a sequence like L1, and * is zero or one
occurrence of an arbitrary symbol. For example, NUM(h*d) is
the number of occurrences of expression h*d, where the string
itself is of length one or two, and is defined to be “zero or one
h followed by a d”.
Thus the above sequence L1 can be mapped into antigen that
consists of four genes as shown below.
L2 = ({10, 4, 3, 2}, {0, 0, 10, 9}, …)
L3 = ({Gene 1, Gene 2, Gene 3, Gene 4} {Gene 1, Gene 2,
Gene 3, Gene 4} …)
Genes capture correlation between protocol events, which is
the same as that in [3]. For a normal DSR operation, the
values of genes 1 and 2 are correlated, as well as the values of
genes 3 and 4 [3]. In the case of misbehavior, this correlation
will change.
In the final step of mapping process a gene value is encoded
on N bits (N = 10) [3]. A range of values of a gene below
some threshold value is divided by N, so that N intervals are
obtained. Intervals are then assigned numbers sequentially
starting from 1. A gene whose value is less than the threshold
is picked; the interval number to which the gene belongs gives
the bit position in the N-bit pattern, which is then set to 1.
Gene values that are larger than the threshold are encoded as
if they belonged to the last interval. (Figure 1).
For example, if N =10 and the threshold value for all the four
defined genes is equal to 20, then L2 is mapped to L3 as
follows.
19
17.1
15.2
13.3
11.4
10
9.5
7.6
5.7
4
3.8
3
1.9
2
Figure 2: Complete AIS
Gene 1
Gene 2
Gene 3
Gene 4
Figure 1: Conversion of Antigen to 0 and 1 string
L3= ({0000100000, 0000000100, 0000000010, 0000000010}
{0000000000, 0000000000, 0000100000, 0000010000} ...)
In every Δt time interval we will find one such (L3) antigen
for each monitored (neighboring) node. Every bit in this
representation is called as nucleotide.
Antibody Representation
After performing mapping [3] activity, Antibody
generation function and matching function are created. Here
the functionality of Bone Marrow [9, 13] is implemented by
Antibody generation function. The basic difference between
antigen and antibody is that in antigen there is only one
nucleotide per gene where as in antibody the number of
nucleotides equal to 1 may be more than one per gene [3].
For example:
L4 = ({1010100011, 0001101100, 1100100010, 0110001010} ..)
Matching Function
An antibody matches an antigen if the antibody has a
‘1’ in every position where the antigen has a 1 [3, 14]. This
allows the detection system to have a relatively smaller
number of antibodies to cover a larger set of possible non-self
antigens. Antibodies are created randomly. After generation of
the antibody it is passed for negative selection [12, 13, 14].
Antibodies that match any self antigen are deleted.
For example:
Antibody1 = {1010100011, 0001101100, 1100100010, 0110001010}
Antibody2= {1010111000, 0101100100, 1010101010, 0110101110}
Self-Antigen={0000001000,0000100000,0000001000, 0000000100}
From the example we see that Antibody2 matches
with Self-Antigen. Thus in the negative selection Antibody2 is
deleted while Antibody1 is saved for detection purpose. The
above concepts are used in the designing of the artificial
immune system. The block diagram with all the functional
blocks that jointly build our modified AIS is shown in Figure
2. This AIS will be present at every node.
V. WORKING OF AIS
First of all we put all the AIS-enabled nodes in the MANET.
Working of AIS [3] can be understood in phases as described
below.
Learning phase:
When a new node (equipped with AIS) enters the
MANET it does not know anything about the normal behavior
or misbehavior in the network. The new node starts its AIS
with self learning phase. In this phase the node observes
antigens from the neighboring nodes’ protocol events. Here
the node collects the self antigen up to some defined number.
After reaching this number it enters into detection phase.
Detection phase:
In this phase the node persistently observes antigens
and updates self examples, in addition to detection. Once a
node enters in detection phase it will remain in this phase all
the time. The node saves information about the system state
(self antigens), and uses this information to directly enter in
the detection phase, if it rejoins after a period of absence. The
node continuously observes routing protocol events for all its
neighbors and records them within time slots of Δt seconds.
Routing protocol events are what discussed in section IV.
Protocol events collected for one neighbor are converted into
antigen. The current behavior of an observed node is
represented by the antigen collected in the current time
interval.
Handling Danger Signal (DS): The Proposed Modification
Destination node sends acknowledgement to the
sender node after receiving entire data packet. When a node
experiences loss of a packet sent by it (absence of
acknowledgement), it generates a danger signal. Occurrence
of packet loss is seen as damage to the protected system
(MANET). The DS is sent over the route on which the packet
loss occurs, and is received by all the nodes that are within the
radio range. In our proposed technique of proper handling of
DS we made each node receive and pass the danger signal to
the bone marrow block. The randomly generated antibodies in
the bone marrow are exposed with the
Total No. of
Nodes (No. of
Misbehaving
nodes)
Detected
Misbehavior
without Clonal
Selection
Detected
Misbehavior with
Clonal Selection
Detected
Misbehavior
with clonal
selection
(Enhancement)
5 (3)
10(6)
20(12)
40(15)
60(20)
4
7
7
11
15
3
5
9
13
18
10
15
20
4
5
Table 2: Misbehavior detection (including false positive) using
different approaches
DS and the corresponding antigen collected from the network.
The antibodies which resemble (any extent) the collected nonself antigens are stored for detection purpose. In this way we
get detectors (antibody) that almost resemble some
misbehavior activity (pattern). Due to this reason the chances
of false positive decrease. Further the clonal selection process
also enhances the effectiveness of the generated antibodies.
VI. RESULT AND DISCUSSION
In order to simulate the misbehavior in a node we have made
misbehaving nodes to drop randomly all types of packets they
receive, with dropping probability higher than forwarding
probability. Then we simulated the network with AIS-enabled
nodes. Here in the Table 2 we show the detected misbehaving
nodes using different approaches. First approach is not using
clonal selection [1] for misbehavior detection. Since the
purpose of clonal selection is to refine the antibody and
making it more closure to the antigen (non-self) that result in
misbehavior.
In the second approach clonal selection is considered
Figure 3: Graph showing Misbehavior detection using different
approaches
Total No. of
Nodes (No. of
Misbehaving
nodes)
Detected
Misbehavior
without Clonal
Selection
Detected
Misbehavior with
Clonal Selection
Detected
Misbehavior
with clonal
selection
(Enhancement)
5 (3)
10(6)
20(12)
40(15)
60(20)
3
3
2
4
5
1
0
1
1
2
0
0
1
1
0
Table 3: False Positive detection
for misbehavior detection. That is why its result is better than
that of the approach that does not use clonal selection.
In our approach we improved upon the work of
second approach [3], mentioned above, by using the danger
signal in bone marrow. In our approach the sole objective is to
refine antibody at its generation time. Here in the bone
marrow every randomly generated antibody closely resembles
some antigen that could harm the network. Clonal selection
process further refines these antibodies. Thus we get antibody
that is more effective than those generated normally from
bone marrow. This approach also makes less false positive
detection than the above mentioned two approaches. Figure 4
the graph for false positive detection using all the three
approaches. Approach that is not using clonal selection has
higher rate of false positive than the two that uses clonal
selection. Our approach has lowest rate of false positive
detection.
VII.
CONCLUSION
We discussed the results of approaches used for
misbehavior detection using the concept of AIS (Artificial
Immune System). First, we conclude that misbehavior
Figure 4: Graph showing False Positive detection using different
approaches
detection using AIS with clonal selection gives acceptable
result. The false positive detection, after enhancement of the
existing technique, is less. Also total misbehavior detection
after enhancement is high. Through the experiment we
reached on the conclusion that AIS capability can be enhanced
by proper handling of danger signal generated in the network.
REFERENCES
[1]
D Remondo. “Tutorial on Wireless Ad Hoc Networks,” in Proc. HetNets ’04, 2004.
[2]
L.N. de Castro and J.I. Timmis, Artificial Immune Systems: A New
Computational Intelligence Approach, Springer-Verlag, 2002, p. 357.
[3]
J. L. Boudec and S. Sarafijanovic. “An Artificial Immune System
Approach to Misbehavior Detection in Mobile Ad-Hoc Network”, In
Proc. Bio-ADIT, 2004, pp. 96-111.
[4]
Y. Yu and C. Z. Hou. "A Clonal Selection Algorithm by using
Learning Operator,” in Proc. Third International Conference on
Machine Learning and Cybernetics, 2004, pp. 2924-2929.
[5]
“The network simulator - ns-2”, Internet: http://www.isi.edu/nsnam/ns/,
[August 15, 2011].
[6]
R. Ford and M. Howard. “Security in Mobile Ad Hoc Networks,” IEEE
Security & Privacy, vol. 6, no. 2, pp. 72-75, 2008.
[7]
K. Liu, J. Deng, P. K. Varshney, and K. Balakrishnan. “An
Acknowledgment-based Approach for the Detection of Routing
Misbehavior in MANETs,” IEEE Tans. Mobile Computing, vol. 6, no.
5, pp. 536-549, May 2007.
[8]
J.R. Al-Enezi, M.F. Abbod, S. Alsharhan. “Artificial Immune System
– Models, Algorithms and Applications”, Int. J. Research and Reviews
in Applied Sciences, vol. 3, no. 2, pp. 118-131, May 2010.
[9]
W. E. Paul, “The Immune System: An Introduction,” in Fundamental
Immunology, 3rd Ed., W. E. Paul, Ed., Raven Press Ltd, 1993.
[10]
H. Xie, Z. Hui, “An Intrusion Detection Architecture for Ad hoc
Network based on Artificial Immune System,” In Proc. PDCAT'06,
2006.
[11]
S. A. Hofmeyr and S. Forrest “Architecture for an Artificial Immune
System”, Evolutionary Computation, vol. 7, no.1, pp.45-68, 2000.
[12]
Ayara, M., Timmis, J, de Lemos, R., and Duncan, R. (2002) “Negative
Selection: How to Generate Detectors”, 2002 ICAIS, 89-98.
[13]
Zhou Ji, Dipankar Dasgupta, “Revisiting Negative Selection
Algorithms “Evolutionary Computation” 15(2): 223-251, 2007
Massachusetts Institute of Technology.
[14]
J. Kim and P.J. Bentley. Evaluating Negative Selection in an Artificial
Immune Systemfor Network Intrusion Detection: Genetic and
Evolutionary Computation Conference 2001, (GECCO-2001), San
Francisko, pp. 1330-1337, July 7-11.