Illustration, Detection & Prevention of Sleep Deprivation Anomaly in Mobile Ad Hoc Networks

MANETs (Mobile Ad Hoc Networks) have applications in various walks of life from rescue operations to battle fieled operations, personal and commercial. However, routing operations in MANETs are still vulnerable to anomalies and DoS (Denial of Service) attacks such as sleep deprivation. In SD (Sleep Deprivation) attack malicious node exploits the vulnerability in the route discovery function of the reactive routing protocol for example AODV (Ad Hoc On-Demand Distance Vector). In this paper, we first illustrate the SD anomaly in MANETs and then propose a SD detection and prevention algorithm which efficiently deals with this attack. We assess the performance of our proposed approach through simulation, evaluating its successfulness using different network scenarios.


INTRODUCTION
attack. We implement and assess the performance of our proposed approach through simulation. The rest of the paper is arranged as follows: we illustrate the SD attacks in MANETs in detail in section 2. In section 3 we include a brief literature review of the related work. After it, we propose the point detection algorithm that deals with SD attack in Section 4. Then, we present the implementation of the proposed algorithm and present the results which evaluate its successfulness using different network scenarios in section 5. Finally, we summarize the work and highlight the future research in section 6.

ILLUSTRATION OF SLEEP DEPRIVATION ANOMALY
SD is a major threat for MANETs. In this attack the attacker forces node to process un necessary packets to cause M ANETs routing protocols can be divided mainly in two types proactive and reactive routing protocols. Reactive routing protocols are most commonly used by the research community to analyze and asses various security vulnerabilities in MANETs. MANETs operations at MAC and network layer are vulnerable to various attacks [1]. SD is a severe DoS attack that can bring the entire network down. It exploits the vulnerabilities of the route discovery procedure of the routing protocol to force victim nodes to power consuming sleep mode. In this paper, we extend our previous initial work on DoS detection [2] by including in dept analysis of SD anomaly its detection and prevention in this paper. We first illustrate different ways of launching this attack and then propose an SD Detection Algorithm which efficiently deals with SD congestion in the network and drains the batteries of the nodes. We use AODV as an example to describe in detail the ways this anomaly can be introduced in the network and to illustrate weaknesses in some previously proposed protection mechanism. Fig. 1  • Because nodes v 2 , v 1 , v 5 and v 9 do not have the route for node v 25 , they will also broadcast the RREQ initiated by intruder.
• Nodes which will receive RREQs from v 2 , v 1 , v 5 and v 9 will first check if they have not processed these requests then further broadcast this request.
• This process will continue because no nodes know the route for this node. node will drain their batteries.  [5] sent and compare it with the discard limit to detect flooding. In [6] authors describe ways through which attacker can drain the batteries of wireless devices such as PDAs and notepads in a mobile computing environment. In an experiment they measure the battery life of notepads and PDAs under this attack and concluded that this attack drains their batteries more quickly and shortened the battery life drastically. Then they propose the power secure architecture with the aim to defend against these attacks by guarantying a minimum battery life even when the device is under attack. The architecture employs two features in a system energy signature monitoring and multilayer authentication. In [7] authors have performed an investigation on the impact of malicious flooding on the QoS (Quality of Service) of MANET though analyzing the throughput in a simulation based study. In another example, Yu and Ray [8] have described SD attacks through two types of injecting traffic attack in ad hoc network as query flooding and injecting data packets. They investigated query flooding and injecting data packets attacks from attacker's point of view and theoretically analyzed the probability of cases where attacker can successfully launch these attacks without being detected. Then assuming nodes can authenticate each other through public key, they propose query flooding attack detection using neighbor monitoring mechanism.

SLEEP DEPRIVATION DETECTION AND PREVENTION
Model Assumptions: We note that anomaly detection requires data from normal activities, to build a training profile. We can find such resources in fixed networks for example in [9], but data resources reflecting normal activities of MANETs applications are not available.
Therefore, we assume that the initial behaviour of the network is free from anomalies. To illustrate the implementation of the detection algorithm, we also assume that the MANET is organized in clusters. We assume a clustered MANET organization. We select the most capable node in terms of its processing abilities and lowest mobility ratio as CH (Cluster Head) and the others nodes become CN (Cluster Nodes). The only CH is assumed to perform the processing required by the algorithm. We assume threshold based cryptography mechanism such as [10][11] can be used to protect communication between CH and CNs.

Overview of SD Detection Algorithm
The   Equation (1) is the specific form of the test applied to SD Detection Algorithm, in which X i k the observed is and is the expected value of the k th variable from ITP for TI i. Chi-computed is calculated through Equation (1).
The CH performs hypothesis testing by setting the null We then perform the intruder-identification using variable control chart. We use control chart using standard deviation ó to identify the intruding node because of its very low computational overhead. We calculate the ó of the number of RREQs generated by all nodes, then set the CL (Control Line), UCL (Upper Control Limit) and LCL (Lower Control Limit). We choose 3ó limits because literature suggests that for a normal distribution 99.7% of the observation lies within + 3σ limits and also from some initial simulations we learn that this limit of + 3σ keeps the false identification rate to its minimum value. We conclude node V i to be an intruder if it generates higher RREQs than the UCL. If any node V i is detected more than d times in a test sliding window of p intervals then the CH BL the node and send all CNs an AP (Accusation Packet). CH sends AP using limited broadcast with a very low TTL value i.e. TTL=2.
CN first avoids processing a duplicate AP by checking the broadcast id and source address of the packet. All Table) which contains the entries of current BL nodes in the network. CN checks it is BLT and the CN will ignore and drop the AP to prevent unnecessary network traffic in case the node is already blacklisted. Otherwise, the accused node will be blacklisted by CN. At the end, all nodes isolate the intruder from the network. We update the training profile in case of no intrusion using an EWMA (Exponentially Weighted Moving Average) as given in Equation (2):

CNs maintains a BLT (Blacklist
represents the expected and observed value for update period number q respectively. The value of q starts at one at the start of the simulation and is incremented for each TI when no intrusion in the MANET is detected. K represents the random variable from 1 to M and β=2/(q-1) is the weighting factor. In  clusters. It can be seen from the graphs that the gap between success and false positive rate of our approach is wide and the minimum value of the difference between success and false positive rate at certain mean speed of the nodes is 70% that shows the effectiveness of our approach. The time taken by any protection mechanism to detect and prevent attack is another essential parameter.
Since we choose three detections in a TSW of size of 5 TIs to accuse a node, any accusation takes a minimum of 300 seconds. In situations where detection and prevention time is critical the network administrator can re set the size of TI by reducing it and the algorithm will adapt accordingly. In Fig. 6   When we compare our algorithm performance with the method propose by Yu et. al. [10] our detection rate is slightly better and in contrast with their strategy our algorithm reduces the false alarm rate to a maximum of 5%. Our algorithm manage to reduce 40% of the control packet overhead caused due to the malicious RREQ, which is not consider in [10].

CONCLUSION
MANET routing protocols are vulnerable to DoS attacks, such as sleep deprivation. In this paper, we have focused on protecting MANETs from DoS attacks. We have first illustrated how DoS attacks can be launch in MANETs.
We then test the use of control chart only to protect against these attacks. We find out that this method based on static threshold similar to the one proposed is not