Misbehavior detection in mobile ad hoc networks using Artificial Immune System approach Md Shamsher Alam Ansari Department of Computer Engineering Aligarh Muslim University Aligarh, India shamsher.amu04@gmail.com Abstract— Application of Artificial Immune System (AIS) evolves as a key Artificial Intelligence concept for detecting misbehavior, ensuring security, detecting faults and performing data mining in Mobile ad hoc Networks (MANETs). Recognition of misbehaving nodes is a must for proper functioning of a MANET. AIS approach has a unique feature of learning which is absent in other techniques (e.g. reputation system). Danger Signal and Clonal Selection are the key techniques of AIS for misbehavior detection. Different types of misbehavior occur in MANETs, and then at different network layers-Physical, Data Link, and Network. In this paper we investigate and detect misbehavior at Network Layer. We performed experiment using the concepts of danger signal and clonal selection of AIS. Result of the misbehavior detection system depends on the way we use the danger signal for misbehavior detection. We propose an enhancement in the misbehavior detection using proper handling of danger signal. We compare our proposed concept of misbehavior detection with existing concepts. We show the experimental results showing the improvement in performance of AIS for misbehavior detection. Keywords- MANET, AIS, DSR, Ns2, Danger Signal, Clonal selection I. INTRODUCTION Application of wireless technology is growing because of its easiness in deployment. In scenarios where infra structure stands destroyed, such as at the time of natural disasters, or where infrastructure does not exist at all, such as in battle fields or uninhabited terrain, Mobile Ad Hoc Networks (MANETs) [1] have emerged as new and more useful type of wireless networks. Conventional networks (wireless or not) generally rely on a fixed support infrastructure, such as routers and switches, to enable data communications. On the other hand mobile ad-hoc networks are self organized networks without any fixed infrastructure other than end-user terminals, such as laptops, having wireless support. Communication beyond the transmission range is made possible by having all nodes act both as terminals and as routers. These networks can be easily and quickly formed, on demand, for specific tasks and mission support. As we know human immunity protects our body from different diseases caused by viruses, bacteria, and fungi, etc. This work is sponsored in part by the Council of Scientific and Industrial Research, New Delhi under grant No. 23(0016)/10/EMR-II. M. Inamullah Department of Computer Engineering Aligarh Muslim University Aligarh, India inamullah.m@gmail.com In a similar manner Artificial Immune System (AIS) has been developed that uses the features of natural immune system and protects the system from external world from different discrepancy. Application areas of AIS are broad. Some application areas include Data mining, misbehavior detection, fraud detection, etc. Our goal is to apply the concept of Artificial Immune System [2] in finding the misbehavior in wireless Mobile Ad hoc Network [1]. In wireless mobile Ad hoc networks each node (mobile phone, mobile PC, etc.) cooperates and provides services to each other. Nodes act both as terminals and information relays and participates in a common routing protocol to provide multi-hop radio communication. MANET is vulnerable to routing misbehavior due to faulty, selfish or malicious nodes. Misbehavior creates obstacle in healthy communication, or even blocks the entire network communication in some situations. Misbehavior detection systems works in a way to remove this vulnerability. For comparison purpose we simulated and compared between two approaches. In the first approach the clonal selection of [4] is not used for misbehavior detection. Since the purpose of clonal selection is to refine the antibody and make it closer to the antigen that results in misbehavior. Such misbehavior detection system loses its strength for misbehavior detection. In the second approach clonal selection of [4] is considered for misbehavior detection. That is why its result is better than that of the approach that does not use clonal selection. In this work we improve upon the work of second approach [3], mentioned above, by using the danger signal in bone marrow. In our approach the sole objective is to refine antibody at its origin place (bone marrow) at the antibody generation time. Here in the bone marrow every randomly generated antibody closely resembles some antigen that could harm the network. Clonal selection process further refines these antibodies. Thus we get antibody that is more effective than those generated through the second approach [3]. This approach causes less false positive detection than the above mentioned two approaches. NS2 simulator [5] is used for the simulation of experiment. Subsequent sections of this paper provide information as follows. Sections II and III are a sort of literature survey. In section II, after giving a brief introduction to MANETs, we present a discussion of vulnerabilities the MANETs are prone to. In section III we discuss human and natural immune systems. Then in section IV we describe the implementation of AIS, and discuss our proposed enhancement in section V. We display our results in section VI, and conclude the paper in section VII. II. VULNERABILITIES IN MANET The MANET can be used as a communication support in the battle field, as an assistance to rescue operations during natural hazards, as a support for search and survey operations in inhospitable terrain, as a vehicular network, and as mobile sensor network etc. The functionality of MANET is affected by the way in which its nodes operate. In addition to the vulnerabilities of their wired counterparts, they face their own security risks. Each node is potentially a part of a support system, collaborating with others to provide basic communication services to its neighbors. In such cases, individual nodes' vulnerabilities and misbehavior can directly affect the network performance. Faulty software or hardware, bad intention, or the intention to the save battery power, are some of the possible reasons of a node’s misbehavior. In MANETs one cannot provide a defense mechanism at the boundaries, as the boundaries are not well-defined for these networks. Similarly there are no fixed infra-structure apparatus, where one could think of taking the security-related steps. The MANETs have shared medium of communication, and network operations such as routing are carried out collaboratively. The network is dynamic in nature; the network size and topology as well as the node configuration are susceptible to change anytime. These key characteristics differentiate MANETs from wired network, and MANETs experience a new set of performance and security challenges [6]. Since we are dealing with network layer vulnerabilities therefore it will be more suitable to explain network layer vulnerability. Network Layer vulnerabilities Network layer in MANETs provides data routing and packet forwarding services among nodes: each node voluntarily serves as a data router and packet forwarder. That is why each node in MANET also runs routing protocol. Routing protocols are generally classified in groups of reactive and proactive protocols. In proactive routing protocols nodes broadcast periodic beacons to proactively update routing table information at each node. On the other hand reactive routing protocols do not update routing table spontaneously; the route discovery is initiated only when a packet transmission requires a route. Discovered routes to a destination are cached for some time, and are used for transmissions to the same destination in near future. Malicious manipulation of route advertisements, injection of false or incomplete information, routing table overflow, network flooding, wormhole attacks in which the malicious node advertently tunnels the traffic through a path that is hidden to the source or destination, and black-hole attacks wherein the attacking node drops the packets it was supposed to forward, are some of the attacks in MANETs. To prevent routing attacks many techniques are proposed. Some use encryption at the protocol and node levels whereas others use information correlation between multiple nodes [6]. Biologically inspired techniques, though still a matter of debate among researchers of security, have been used for many optimizations [2, 6, 7], especially their concept of differentiation between cells as self or nonself. It is predicted that as the security-requirements of systems become clearer the artificial immunity techniques will become embedded in the system itself, and will help detect anomaly in a more elaborate and balanced way [6]. III. THE HIS AND THE AIS An artificial immune system (AIS) [3, 8] is a computational model of Human immune system [9] that incorporates many properties of natural immune systems, including diversity, distributed computation, error tolerance, dynamic learning and adaptation and self-monitoring. AIS can be applied to security in computing and networking systems where it maintains proper state of the system by detecting misbehavior by any component of the system maintaining low false positive rates. The natural (Human) immune system (HIS) is highly complicated and precisely tuned to eliminate the problem of detecting and eliminating infections. In natural immune system, every species outside the body is referred to as a nonself or foreign cell and a cell of the body as a self cell. In summary, when a foreign cell enters the body, the immune system of the body recognizes it from its structure and the chemical bonding between its immune cell and the foreign cell. The immune cell, called lymphocyte, has hundreds of identical receptors that bind to the surface of the pathogen. The binding occurs in the form of chemical binding and charge. The surface of pathogens is covered by a protein called antigen and, similarly, that of immune cells by antibody. The antibodies are generated in the bone marrow and are first processed for self tolerance, where all those antibodies that bind self cells are destroyed, so that it could not affect the self cell of the body [9]. The HIS has many properties [11] (e.g., its diversity, its being distributed and dynamic, its error tolerance, its ability to self-monitor, and its adaptability), that can help improve artificial systems. Certain unique qualities (viz., robustness, adaptivity and autonomity) of the natural immune systems directly result from these properties, which are currently not available in most artificial systems. Hofmeyr and Forrest [11] discuss the properties and the resulting characteristics of the immune systems in detail. In the next section we discuss implementation of node-misbehavior detection at the network layer, when malicious node forwards the route request packet but does not forward data packet. We use the mapping between HIS and AIS elements as proposed by Boudec and Sarafijanovic in [3] and we improve upon the detection phase. IV. IMPLEMENTATION Since Artificial Immune system (AIS) is completely based on Human Immune system (HIS), in designing the AIS, the first task is to map the HIS parameters to the activities in MANET. As we are using Dynamic Source Routing (DSR) Algorithm and capturing nodes’ activity in MANET, each element in MANET and the DSR protocol events of a node are mapped onto HIS elements. Since the mapping affects the accuracy in detection process of AIS. One of the key design challenges of AIS is to define a suitable set of efficient genes [2]. Gene forms the basis for deciding whether a node misbehaves. Genes of a node in a MANET can be thought of as the description of the performance, the node observes, of neighbor nodes and the network. Based on the description of AIS and HIS in [3], we summarize the correspondence between the two in Table1. HIS Elements Body Self cells Non self cells Gene Antigen Antibody Chemical Binding Bone Marrow (protected environment) Negative selection MANET Elements The Entire mobile adhoc Network Well behaving Nodes Misbehaving Nodes Number of sub-patterns in a sequence of protocol events Sequence of genes Pattern same as that of antigen (randomly generated) Matching Function (binding of antigen with antibody) Network with certified nodes who do not misbehave Negative selection block Table 1: Correspondence of HIS and AIS terms Antigen Mapping Antigen is represented as a pattern of observed protocol events [3]. Event patterns and their timing describe the behavior of a node, and the goal is to find out if this behavior is wrong. Protocol events for neighbors are captured for a time interval each the 10sec. For a monitored node one data set consists of protocol events recorded during one time interval of duration Δt seconds (e.g. 10 sec), with the condition of maximum Ns events per a data set (Ns = 40). The collected Data sets are then transformed. The first step is the mapping of protocol events to a finite set of primitives. Each of them is identified with symbols [3]. For simulation, we used the following primitives as discussed by Boudec and Sarafijanovic in [3]. These primitives typically denote the events generated at the monitored node, when a packet originating at other nodes is received at the monitored node. a= RREQ sent b= RREP sent c= RERR sent d= DATA packet sent e= RREQ received f= RREP received g= RERR received h= DATA packet received Using the above defined primitives the collected data set is represented as a sequence of symbols (primitives) [3]. For example: L1 = (eeaeeeaeebeaeehdhdh, hdhdhdhdhdhdhdhdhdh, ...). In the second step a gene is defined [3]. Genes are used for matching purpose. We use the following list of [3]. Gene 1 = NUM(e) in sequence Gene 2 = NUM((e*(a+b))) in sequence Gene 3 = NUM(h) in sequence Gene 4 = NUM((h*d)) in sequence Where NUM(“string”) represents the number of occurrences of “string” in a sequence like L1, and * is zero or one occurrence of an arbitrary symbol. For example, NUM(h*d) is the number of occurrences of expression h*d, where the string itself is of length one or two, and is defined to be “zero or one h followed by a d”. Thus the above sequence L1 can be mapped into antigen that consists of four genes as shown below. L2 = ({10, 4, 3, 2}, {0, 0, 10, 9}, …) L3 = ({Gene 1, Gene 2, Gene 3, Gene 4} {Gene 1, Gene 2, Gene 3, Gene 4} …) Genes capture correlation between protocol events, which is the same as that in [3]. For a normal DSR operation, the values of genes 1 and 2 are correlated, as well as the values of genes 3 and 4 [3]. In the case of misbehavior, this correlation will change. In the final step of mapping process a gene value is encoded on N bits (N = 10) [3]. A range of values of a gene below some threshold value is divided by N, so that N intervals are obtained. Intervals are then assigned numbers sequentially starting from 1. A gene whose value is less than the threshold is picked; the interval number to which the gene belongs gives the bit position in the N-bit pattern, which is then set to 1. Gene values that are larger than the threshold are encoded as if they belonged to the last interval. (Figure 1). For example, if N =10 and the threshold value for all the four defined genes is equal to 20, then L2 is mapped to L3 as follows. 19 17.1 15.2 13.3 11.4 10 9.5 7.6 5.7 4 3.8 3 1.9 2 Figure 2: Complete AIS Gene 1 Gene 2 Gene 3 Gene 4 Figure 1: Conversion of Antigen to 0 and 1 string L3= ({0000100000, 0000000100, 0000000010, 0000000010} {0000000000, 0000000000, 0000100000, 0000010000} ...) In every Δt time interval we will find one such (L3) antigen for each monitored (neighboring) node. Every bit in this representation is called as nucleotide. Antibody Representation After performing mapping [3] activity, Antibody generation function and matching function are created. Here the functionality of Bone Marrow [9, 13] is implemented by Antibody generation function. The basic difference between antigen and antibody is that in antigen there is only one nucleotide per gene where as in antibody the number of nucleotides equal to 1 may be more than one per gene [3]. For example: L4 = ({1010100011, 0001101100, 1100100010, 0110001010} ..) Matching Function An antibody matches an antigen if the antibody has a ‘1’ in every position where the antigen has a 1 [3, 14]. This allows the detection system to have a relatively smaller number of antibodies to cover a larger set of possible non-self antigens. Antibodies are created randomly. After generation of the antibody it is passed for negative selection [12, 13, 14]. Antibodies that match any self antigen are deleted. For example: Antibody1 = {1010100011, 0001101100, 1100100010, 0110001010} Antibody2= {1010111000, 0101100100, 1010101010, 0110101110} Self-Antigen={0000001000,0000100000,0000001000, 0000000100} From the example we see that Antibody2 matches with Self-Antigen. Thus in the negative selection Antibody2 is deleted while Antibody1 is saved for detection purpose. The above concepts are used in the designing of the artificial immune system. The block diagram with all the functional blocks that jointly build our modified AIS is shown in Figure 2. This AIS will be present at every node. V. WORKING OF AIS First of all we put all the AIS-enabled nodes in the MANET. Working of AIS [3] can be understood in phases as described below. Learning phase: When a new node (equipped with AIS) enters the MANET it does not know anything about the normal behavior or misbehavior in the network. The new node starts its AIS with self learning phase. In this phase the node observes antigens from the neighboring nodes’ protocol events. Here the node collects the self antigen up to some defined number. After reaching this number it enters into detection phase. Detection phase: In this phase the node persistently observes antigens and updates self examples, in addition to detection. Once a node enters in detection phase it will remain in this phase all the time. The node saves information about the system state (self antigens), and uses this information to directly enter in the detection phase, if it rejoins after a period of absence. The node continuously observes routing protocol events for all its neighbors and records them within time slots of Δt seconds. Routing protocol events are what discussed in section IV. Protocol events collected for one neighbor are converted into antigen. The current behavior of an observed node is represented by the antigen collected in the current time interval. Handling Danger Signal (DS): The Proposed Modification Destination node sends acknowledgement to the sender node after receiving entire data packet. When a node experiences loss of a packet sent by it (absence of acknowledgement), it generates a danger signal. Occurrence of packet loss is seen as damage to the protected system (MANET). The DS is sent over the route on which the packet loss occurs, and is received by all the nodes that are within the radio range. In our proposed technique of proper handling of DS we made each node receive and pass the danger signal to the bone marrow block. The randomly generated antibodies in the bone marrow are exposed with the Total No. of Nodes (No. of Misbehaving nodes) Detected Misbehavior without Clonal Selection Detected Misbehavior with Clonal Selection Detected Misbehavior with clonal selection (Enhancement) 5 (3) 10(6) 20(12) 40(15) 60(20) 4 7 7 11 15 3 5 9 13 18 10 15 20 4 5 Table 2: Misbehavior detection (including false positive) using different approaches DS and the corresponding antigen collected from the network. The antibodies which resemble (any extent) the collected nonself antigens are stored for detection purpose. In this way we get detectors (antibody) that almost resemble some misbehavior activity (pattern). Due to this reason the chances of false positive decrease. Further the clonal selection process also enhances the effectiveness of the generated antibodies. VI. RESULT AND DISCUSSION In order to simulate the misbehavior in a node we have made misbehaving nodes to drop randomly all types of packets they receive, with dropping probability higher than forwarding probability. Then we simulated the network with AIS-enabled nodes. Here in the Table 2 we show the detected misbehaving nodes using different approaches. First approach is not using clonal selection [1] for misbehavior detection. Since the purpose of clonal selection is to refine the antibody and making it more closure to the antigen (non-self) that result in misbehavior. In the second approach clonal selection is considered Figure 3: Graph showing Misbehavior detection using different approaches Total No. of Nodes (No. of Misbehaving nodes) Detected Misbehavior without Clonal Selection Detected Misbehavior with Clonal Selection Detected Misbehavior with clonal selection (Enhancement) 5 (3) 10(6) 20(12) 40(15) 60(20) 3 3 2 4 5 1 0 1 1 2 0 0 1 1 0 Table 3: False Positive detection for misbehavior detection. That is why its result is better than that of the approach that does not use clonal selection. In our approach we improved upon the work of second approach [3], mentioned above, by using the danger signal in bone marrow. In our approach the sole objective is to refine antibody at its generation time. Here in the bone marrow every randomly generated antibody closely resembles some antigen that could harm the network. Clonal selection process further refines these antibodies. Thus we get antibody that is more effective than those generated normally from bone marrow. This approach also makes less false positive detection than the above mentioned two approaches. Figure 4 the graph for false positive detection using all the three approaches. Approach that is not using clonal selection has higher rate of false positive than the two that uses clonal selection. Our approach has lowest rate of false positive detection. VII. CONCLUSION We discussed the results of approaches used for misbehavior detection using the concept of AIS (Artificial Immune System). First, we conclude that misbehavior Figure 4: Graph showing False Positive detection using different approaches detection using AIS with clonal selection gives acceptable result. The false positive detection, after enhancement of the existing technique, is less. Also total misbehavior detection after enhancement is high. Through the experiment we reached on the conclusion that AIS capability can be enhanced by proper handling of danger signal generated in the network. REFERENCES [1] D Remondo. “Tutorial on Wireless Ad Hoc Networks,” in Proc. HetNets ’04, 2004. [2] L.N. de Castro and J.I. Timmis, Artificial Immune Systems: A New Computational Intelligence Approach, Springer-Verlag, 2002, p. 357. [3] J. L. Boudec and S. Sarafijanovic. “An Artificial Immune System Approach to Misbehavior Detection in Mobile Ad-Hoc Network”, In Proc. Bio-ADIT, 2004, pp. 96-111. [4] Y. Yu and C. Z. Hou. "A Clonal Selection Algorithm by using Learning Operator,” in Proc. Third International Conference on Machine Learning and Cybernetics, 2004, pp. 2924-2929. [5] “The network simulator - ns-2”, Internet: http://www.isi.edu/nsnam/ns/, [August 15, 2011]. [6] R. Ford and M. Howard. “Security in Mobile Ad Hoc Networks,” IEEE Security & Privacy, vol. 6, no. 2, pp. 72-75, 2008. [7] K. Liu, J. Deng, P. K. Varshney, and K. Balakrishnan. “An Acknowledgment-based Approach for the Detection of Routing Misbehavior in MANETs,” IEEE Tans. Mobile Computing, vol. 6, no. 5, pp. 536-549, May 2007. [8] J.R. Al-Enezi, M.F. Abbod, S. Alsharhan. “Artificial Immune System – Models, Algorithms and Applications”, Int. J. Research and Reviews in Applied Sciences, vol. 3, no. 2, pp. 118-131, May 2010. [9] W. E. Paul, “The Immune System: An Introduction,” in Fundamental Immunology, 3rd Ed., W. E. Paul, Ed., Raven Press Ltd, 1993. [10] H. Xie, Z. Hui, “An Intrusion Detection Architecture for Ad hoc Network based on Artificial Immune System,” In Proc. PDCAT'06, 2006. [11] S. A. Hofmeyr and S. Forrest “Architecture for an Artificial Immune System”, Evolutionary Computation, vol. 7, no.1, pp.45-68, 2000. [12] Ayara, M., Timmis, J, de Lemos, R., and Duncan, R. (2002) “Negative Selection: How to Generate Detectors”, 2002 ICAIS, 89-98. [13] Zhou Ji, Dipankar Dasgupta, “Revisiting Negative Selection Algorithms “Evolutionary Computation” 15(2): 223-251, 2007 Massachusetts Institute of Technology. [14] J. Kim and P.J. Bentley. Evaluating Negative Selection in an Artificial Immune Systemfor Network Intrusion Detection: Genetic and Evolutionary Computation Conference 2001, (GECCO-2001), San Francisko, pp. 1330-1337, July 7-11.