A study on the prevention of sniffing nodes in mobile ad hoc networks

Transcription

1 SECURITY AND COMMUNICATION NETWORKS Security Comm. Networks 2011; 4: Published online 26 July 2010 in Wiley Online Library (wileyonlinelibrary.com)..222 RESEARCH ARTICLE A study on the prevention of sniffing nodes in mobile ad hoc networks Ming-Yang Su 1 and Sheng-Cheng Yeh 2 1 Department of Computer Science and Information Engineering, Ming Chuan University, Taoyuan, Taiwan 2 Department of Computer and Communication Engineering, Ming Chuan University, Taoyuan, Taiwan ABSTRACT Traditionally, a sniffing attack is classified as a passive attack, as it follows all regular protocols without generating any forged messages, simply silently sniffing packets and retrieving valuable information. In mobile ad hoc networks (MANETs), some malicious applications can only work when the resided node is in sniffing mode, and performs the same routing protocol as other normal nodes. This paper proposes a modified Ad hoc On-demand Distance Vector (AODV) routing protocol for the detection and isolation of sniffing nodes in MANETs, so as to prevent such sniffing-based malicious applications. With the proposed protocol, sniffing nodes in MANETs can be found and isolated by their neighboring nodes, ensuring the failure of follow-up attacks. In this study, the NS-2 simulation tool was used to evaluate the designed routing protocol. The results showed that the proposed protocol could effectively detect and isolate sniffing nodes, and would not cause significant network overhead. Copyright 2010 John Wiley & Sons, Ltd. KEYWORDS MANETs; AODV; sniffing-node detection; node isolation; NS-2 (network simulator) * Correspondence Ming-Yang Su, Department of Computer Science and Information Engineering, Ming Chuan University, Taoyuan, Taiwan. minysu@mail.mcu.edu.tw 1. INTRODUCTION Mobile Ad hoc networks (MANETs) are self-organized networks, whose nodes are free to move randomly and are able to communicate with each other without the help of an existing network infrastructure. MANETs are suitable for use in situations where a wired or wireless infrastructure is inaccessible, overloaded, damaged, or destroyed, such as emergency or rescue missions, disaster relief efforts, tactical battlefields, and civilian MANET situations, such as conferences and classrooms. In a MANET, all nodes are mobile and are able to communicate in an arbitrary network topology. The nodes of a MANET behave as routers, and engage in route discovery and route maintenance with each other. Therefore, the routing protocol of a MANET is vital, and several such protocols had been developed in recent years. These routing protocols are divided into two categories: table driven routing protocols and ondemand routing protocols. Ad hoc On-demand Distance Vector (AODV) [1] and Dynamic Source Routing (DSR) [2], belonging to the category of on-demand routing protocols, are highly regarded and widely discussed. However, MANETs have potential problems regarding security; and many researchers continue to suggest security improvements by deploying intrusion detection systems (IDSs) or enhancing routing protocols. This paper proposes a modified AODV routing protocol to find and isolate sniffing nodes which may be operating malicious applications within a MANET. There are many types of attacks in MANETs, and consequently many different methods of counterattack. Generally, a proposed method may only be effective to one kind of attack. Some proposed methods focus on detecting attacks on routing protocols [3--10]. Several are dedicated to a specific type of attack, such as Denial of Service (DoS) attack [11--15], or black hole attack [16]. Ning and Sun [7] analyze the vulnerabilities of AODV routing on path interruptions, intrusions, network resources consumption, and node isolation, and presented potential weakness of AODV control packets, including Route Request (RREQ), Route Reply (RREP), and Route Error (RERR). Sun et al. [3,4] propose methods based on a Markov Chain to detect malicious nodes during route discovery in DSR routing. The authors of Ref. [11] propose a method to mitigate DoS attack. The authors of Ref. [12] offer an approach which works on both the Network layer and Data Link layer in the 910 Copyright 2010 John Wiley & Sons, Ltd.

2 M. Y. Su and S. C. Yeh Mobile ad hoc networks OSI model to deter DoS/DDoS (Distributed DoS) attacks. The authors of Ref. [5,6] use Finite State Machines to design their IDSs. Researchers in Ref. [8] identify some weaknesses of AODV routing protocol, and analyze various approaches to MANET security. The authors of Ref. [13] propose an agent-based IDS in which all nodes of a MANET are divided into several clusters, and each cluster has an IDS detector and an IDS gate. The detector is the cluster head, responsible for performing the detection program and the gate is responsible for communications with other clusters. Other nodes are IDS monitors, which monitor networks and return messages to the detector. The authors of Ref. [14] propose a distributed IDS, in which each node performs an IDS program to collect data for local detection. If a local anomaly is detected, the adjacent nodes are notified to launch global intrusion detection. Some active attack applications working above the Network layer in the OSI model can only succeed after gathering victim or network topology information via passive sniffing. A passive attack, such as sniffing, follows all regular network protocols without generating any forged packets, silently sniffing packets, and retrieving valuable information. Therefore, if illegal sniffing can be detected early, malicious applications resided above the Network layer in the OSI model may be deterred. In this paper, a modification of the AODV routing protocol is proposed, which finds and isolates sniffing nodes in a MANET. The remainder of this paper is organized as follows: second section contains literature reviews, in which the current methods of sniffing-node detection in wired networks are presented; third section describes the proposed routing protocol; fourth section presents the simulation results in NS-2; fifth section gives conclusions. 2. RELATED WORKS REVIEW A sniffing application can only operate when the Network Interface Card (NIC) is set to promiscuous mode, and, in default, the NIC is set to an ordinary mode. A packet can be received by a host through the NIC only when the packet s Media Access Control (MAC) destination address is equal to the NIC s MAC address, otherwise the packet will immediately be dropped by the hardware filter. However, if a NIC is set to promiscuous mode, all packets in the same collision segment will be received by the card, and then sent into the operating system for further processing. There are several techniques for sniffing-node detection in a wired Ethernet [17--21], and most of these techniques can be applied to wireless networks with access points. However, none of them can be applied to MANETs. In this section, several proposed techniques for detecting sniffing nodes in wired networks are introduced, including MAC detection [17,19], Round Trip Time (RTT) detection [19], Domain Name System (DNS) detection [17,19], and load detection [17,19]. Some development tools and source codes can be downloaded from the website in Ref. [20] MAC detection [17,19] MAC detection [17,19] can only be used in the network segment of a Local Area Network (LAN). It detects whether a network card is set to promiscuous mode in order to perform sniffing. Typically, an Internet Control Message Protocol (ICMP) or Address Resolution Protocol (ARP) packet can be used to carry out MAC detection. By ICMP detection, a spoofed ICMP packet (which is created by stuffing a nonexistent address to the MAC destination address) is sent to a suspicious host. If the suspicious host s NIC is set to ordinary mode, the spoofed ICMP packet will be blocked and dropped by the hardware filter of the network card. However, if the host s NIC is set to promiscuous mode, the hardware filter will not work, and thus, the host will make an illegal response to the spoofed ICMP packet. MAC detection can also be implemented by an ARP packet. In addition to the hardware filter in a NIC, there is a software filter in the operating system, which is used to filter some special MAC addresses. Therefore, a spoofed packet has to pass through two filtrations (i.e., hardware filter and software filter) to result in a response. The software filters of different operating systems have distinct checking principles. In order to inspect the amount of bits of a MAC address by a software filter, a list of MAC addresses for ARP requests can be used as follows: 1. FF:FF:FF:FF:FF:FF Broadcast address (Br): correct broadcast address, generally for normal ARP request. 2. FF:FF:FF:FF:FF:FE fake Broadcast address (B47): fake broadcast address, the last bit is 0 and the other 47 bits are 1, used to check whether software filter inspects all the bits. 3. FF:FF:00:00:00:00 fake Broadcast 16 bits (B16): fake broadcast address, used to check whether software filter only inspects the first 2 bytes. 4. FF:00:00:00:00:00 fake Broadcast 8 bits (B8): fake broadcast address, used to check software filter only inspects the first byte. 5. F0:0:00:00:00:00 fake Broadcast 4 bits (B4): fake broadcast address, used to check whether software filter only inspects the first 4 bits :00:00:00:00:00 Group bit address (Gr): cluster is set by 1, used to check whether the address is regarded as a multicast address by Linux :00:5E:00:00:00 multicast address 0 (M0): M0 is not commonly used, used to check whether an unregistered multicast address in NIC is received :00:5E:00:00:01 multicast address 1 (M1): in the Local Area Network, all hosts must receive the M1 packet :00:5E:00:00:02 multicast address 2 (M2): M2 is transmitted to router, used to check whether an unregistered multicast address in NIC is received :00:5E:00:00:03 multicast address 3 (M3): M3 is not used, here used to check whether an unregistered multicast address in NIC is received. Security Comm. Networks 2011; 4: John Wiley & Sons, Ltd. 911

3 Mobile ad hoc networks M. Y. Su and S. C. Yeh Table I. Response to fake ARP request in different operating systems [19]. Operating systems Windows XP Windows Me/9x Windows 2k/NT Linux 2.4x FreeBSD 5.0 Hardware addresses Norm. Prom. Norm. Prom. Norm. Prom. Norm. Prom. Norm. Prom. FF:FF:FF:FF:FF:FF Br O O O O O O O O O O FF:FF:FF:FF:FF:FE B47 - X - X - X - X - X FF:FF:00:00:00:00 B16 - X - X X X - X - X FF:00:00:00:00:00 B X X - X 01:00:00:00:00:00 Gr X - X 01:00:5E:00:00:00 M X - X 01:00:5E:00:00:01 Ml O O O O O O O O O O 01:00:5E:00:00:02 M X - X 01:00:5E:00:00:03 M X - X O, legal response; X, illegal response; -, no response. The authors of Ref. [19] tested various operating systems and the results are shown in Table I. For the ordinary mode of a NIC, all the operating systems make a correct response to Br and M1. For the promiscuous mode of a NIC, Windows 98 and Me make an illegal response to B47, B16, and B8 (should not make any response), which shows that their software filters only check the first byte; that is, B47, B16, and B8 can be used to inspect whether a NIC in Windows 98 or Windows Me is set to promiscuous mode. Windows 2000 and NT make an illegal response to B47 and B16, showing that their software filters only inspect the first 2 bytes. However, since Windows 2000/NT also make an incorrect response to B16 when the NIC is set to ordinary mode, B16 cannot be used to inspect whether a NIC in Windows 2000 or NT is set to promiscuous mode, and thus only B47 can be used for inspection. Windows XP makes an illegal response to B47 and B16, thus, both of them can be used to inspect the NIC mode in a Windows XP system. Linux 2.4x and Free BSD 5.0 can make an illegal response to any fake MAC address if the NIC is in promiscuous mode, thus, a fake MAC address can be used to inspect the NIC mode in Linux 2.4x and Free BSD Round trip time (RTT) detection [19] RTT is the time taken by a packet sent to a host to complete a round trip, that is, the time that a packet takes to reach the destination, plus the time that a response takes to reach the source. The authors of Ref. [19] predict that RTT may increase when a host sets its NIC to promiscuous mode, because it receives all packets, even those not destined for it. In RTT detection, a benchmark database must first be collected in the training stage. The request packets are sent to designated hosts, with different operating systems and NICs set to ordinary mode, and responses are timed, to count RTTs. Thus, average deviation and standard deviation of RTTs, as well as change percentage, can be obtained. This measure is repeated as the NICs are changed to promiscuous mode. The collected RTT samples in the training stage describe two different clusters, a cluster based on ordinary mode and a cluster based on promiscuous mode. In order to display the statistical difference between the average values of the two clusters, a Z statistical model [19] is adopted. As in the test stage, the system administrator must first use a tool, such as Nmap [22], to check which operating system is installed in the suspicious host, and then send some request packets to the suspicious host to measure the corresponding RTTs. Two Z statistical values can be calculated. One is called Z statistical value based on the ordinary mode (Z1 for short), and the other is the Z statistical value based on the promiscuous mode (Z2 for short). The Z1 is calculated by two clusters, the RTTs benchmark data related to the specific operating system in the ordinary mode, and the current measured RTTs. The Z2 is calculated by two clusters, the RTTs benchmark data related to the specific operating system in the promiscuous mode, and the current measured RTTs. When Z1 is smaller than Z2, and Z1 is less than a threshold value, the NIC of the suspicious host may set to the ordinary mode. On the other hand, when Z2 is less than Z1, and Z2 is less than the threshold value, the network card may set to the promiscuous mode. The details of Z-statistics can be found in Ref. [19] DNS detection [17] This technology requires the system administer to register the computer that performs the detection as the DNS of a nonexistent IP address. When the computer sends a fake FTP request packet, with the source IP address being a nonexistent address, there are two possibilities in normal: no reverse DNS query if there is no FTP server in the network segment, or one reverse DNS query if there is a FTP server. If more than one reverse DNS query packet returns to the computer, it suggests that there is a sniffing node in the network segment. 912 Security Comm. Networks 2011; 4: John Wiley & Sons, Ltd.

4 M. Y. Su and S. C. Yeh Mobile ad hoc networks Table II. MAC detection results in Ad hoc networks. Operating systems Win XP Win 9X/Me Win NT/2000 Linux 2.6x Hardware addresses Recv. Reply Recv. Reply Recv. Reply Recv. Reply FF:FF:FF:FF:FF:FF Br FF:FF:FF:FF:FF:FE B47 X - X - X - FF:FF:00:00:00:00 B16 X - X - X - FF:00:00:00:00:00 B8 X - X - X - Xxxx0:XX:XX:XX:XX:XX B80 X X X X - 01:00:00:00:00:00 Gr X - X - X - 01:00:5E:00:00:00 M0 X - X - X - 01:00:5E:00:00:01 M1 01:00:5E:00:00:02 M2 X - X - X - 01:00:5E:00:00:03 M3 X - X - X -, Receive/send; X, fail to receive; -, no reply. 3. THE PROPOSED METHOD In MANETs, a radio wave is used to transmit data, which means data are much more easily sniffed than in wired networks. The MAC detection in wired networks works because, when the hardware filter of NIC is disabled in promiscuous mode, different operating systems have different responses to fake ARP or ICMP packets. However, such a detection method cannot be applied to MANETs, as shown in Table II, when a real computer s NIC is switched to Ad hoc and set to promiscuous mode; only the host running a Linux system generates an illegal response to a fake ARP/ICMP request. The other hosts running Windows systems do not receive the fake ARP/ICMP packets, even when their NICs are set to promiscuous mode (as mentioned earlier, except for the hardware filter in NIC, there is a software filter in the operating system). Only when the eighth bit in a MAC address is set to 0 and the other 47 bits are set to either 0 or 1 (B80), can a fake ARP/ICMP be received, but still no response is generated. In other words, MAC detection works in a MANET only if the sniffing node runs a Linux system. Furthermore, RTT detection is not applicable in MANETs due to the mobility of nodes. When a node is moving, or the distance between the source node and the destination node is increased, the RTT may lengthen; however, it does not necessarily show that the node is set to promiscuous mode. Generally, there is no DNS in a MANET, thus, DNS detection is not applicable to MANETs either. Since none of the sniff-node detection techniques in a wired network can be applied to MANETs, this study proposes a modified AODV routing protocol to detect and isolate sniff nodes in a MANET. Most malicious applications working by setting the NIC to promiscuous mode reside in the Session layer or Application layer of the OSI model, because their main goal is to analyze all data packets and retrieve valuable information. If a sniff-based malicious application can work through the Network layer to the Application layer in the OSI model, then it becomes increasingly difficult to counterattack, especially if the designer knows all regular network protocols and defense mechanisms. Even in wired network, if a sniff-based malicious application can send off deliberate forged packets, such as forged ARP/ICMP/MAC/DNS/...,todisturb or mislead detecting mechanisms, most defense approaches will fail. In the attack classification, sniffing attack has been classified as a passive attack, which means that it follows all regular protocols without generating any forged messages, silently sniffing data packets and retrieving valuable information. So, in this paper, the node executing a sniff-based malicious application is assumed to perform the same routing protocol as other normal nodes, without generating forged messages. In the proposed routing protocol, each node checks whether its adjacent nodes are in promiscuous mode. Once a sniffing node is detected, all of its neighboring nodes will work cooperatively to isolate the sniffing node. This study modifies formats of routing messages in the AODV [1] routing protocol. A field, named Ver is added to the packet formats of RREQ, RREP, and RERR, as shown in Figure 1, to discriminate between the proposed routing protocol and other routing protocols for nodes. If a different version of AODV is adopted by a node in a MANET, the other nodes running the proposed protocol will ignore its transmitted routing messages. The proposed AODV-based routing protocol includes a self-detection module, which covers MAC and Network layers. In addition to modifications of RREQ, RREP, and RERR, a new routing message, Promiscuous Mode Detection (PROD), is added, and the format is shown in Figure 2. Each node sends a PROD packet at a fixed time interval to adjacent nodes within one hop, with the Status field stuffed with request. When a node receives the PROD packet, the self-detection module embedded in the routing protocol is used to test its own NIC. If the card is set to promiscuous mode, a PROD packet with the Status field stuffed with promiscuous is responded, otherwise, a PROD packet Security Comm. Networks 2011; 4: John Wiley & Sons, Ltd. 913

5 Mobile ad hoc networks M. Y. Su and S. C. Yeh Figure 1. Message formats of the proposed routing protocol. (a) RREQ, (b) RREP, and (c) RERR. Figure 2. PROD packet format. with the Status field stuffed with normal is responded. When a node receives a PROD from its neighbor with Status field of promiscuous, this neighboring node will be added to the blacklist by the Isolation Module. Figure 3 shows the processing for a received routing message of the proposed routing protocol. Three cases are discussed as follows: 1. Case 1: the message does not belong to the proposed protocol: drops the message. 2. Case 2: the message is one of RREQ, RREP, RERR, and Hello message: sends the message to the Isolation Module for comparison to the blacklist. If it matches, drops the packet; otherwise, transmits it according to the routing protocol. 3. Case 3: the message is a PROD packet: sends the packet to the Isolation Module to update the blacklist if the Status field is stuffed with promiscuous, or drops the packet if the Status field is stuffed with normal. If the Status field is stuffed with request, calls the selfdetection module to interact with the NIC driver in order to obtain the NIC s mode, and then replies with a proper PROD packet. The Isolation Module checks the source and the destination IP addresses of a routing message. If the addresses match any in the blacklist, the packet is dropped. Consequently, the nodes in the blacklist cannot create a route or reside on a route. The isolation of a node on the blacklist can be achieved, as shown in Figure 4. In the figure, the malicious node marked by M, is isolated cooperatively by its neighboring nodes, marked in gray. If there is normal node in the border of a MANET, and its packets can only be transmitted through a sniffing node, the normal node will be isolated outside a MANET as well, as illustrated in Figure 5. The node marked X is a normal node, but it is also isolated with the sniffing node. However, as nodes in MANETs are mobile, the accidental isolation would be resolved naturally by the future movement of nodes. The overall illustration of the proposed protocol is shown in Figure 6. Any node can obtain its adjacent node s information by Hello messages, and then a PROD packet with the Status field stuffed with request is sent to each adjacent node every 5 s to await response. When receiving a PROD Figure 3. Processing for a received routing message. Figure 4. Isolation of a sniffing node by its neighbors. 914 Security Comm. Networks 2011; 4: John Wiley & Sons, Ltd.

6 M. Y. Su and S. C. Yeh Mobile ad hoc networks blacklist and start from empty data. If a node moves out of the MANET for a while, its blacklist is still effective when it returns because its routing protocol still works while leaving, just without neighboring nodes. 4. EXPERIMENTAL RESULTS Figure 5. Accidental isolation of a normal border node. packet, the protocol first checks the Status field. If the Status field is request, the node starts the Self-detection module to check the network card, and makes a response by a PROD packet, in which the Status filed is stuffed with promiscuous or normal, depending on whether the network card is in promiscuous or normal mode. Therefore, when a PROD generates a reply with the Status field stuffed with promiscuous from a neighboring node, the neighboring node is added to the blacklist, and the routes in the routing table involved with this neighboring node are deleted by the Isolation Module. As a node initially enters a MANET or resets the system, according to the protocol, the node has to build its own In this study, NS-2 [23] simulation software was used to evaluate the proposed anti-sniff routing protocol. The environment was set as follows: 30 nodes were randomly distributed within a 600 m 600 m area, every node had a transmission range of 250 m, and each node moved at the speed of m/s in random way point model; 20 of 30 nodes (i.e., 10 pairs) selected at random were connected with User Datagram Protocol (UDP), packet size was 512 bytes, and traffic flow was 2 kb/s; the total simulation time was 1000 s, and the reported value in this section was an average of 10 experiments. The following four experiments present the successful performance of the proposed protocol. 1. Exp. 1: End-to-end delays to number of sniffing nodes and pause times. In the experiment, different situations of 0, 50, 100, and 150 s of pause times, and 0, 2, 4, 6, and 8 sniffing nodes were considered, separately. As shown in Figure 7, the end-to-end delay time of regular AODV is slightly shorter than that of the proposed AODV in Figure 6. System flowchart. Security Comm. Networks 2011; 4: John Wiley & Sons, Ltd. 915

7 Mobile ad hoc networks M. Y. Su and S. C. Yeh Figure 7. End-to-end delay time versus pause time, and comparison with regular AODV. the case of no malicious sniffing nodes (#m node = 0); the delay time has little dependence with pause time, but more dependence on the number of sniffing nodes. This is because the detected sniff nodes are isolated by neighbors that results in many re-searches for new routes. Moreover, the newly established routes have to go around the sniffing nodes, hence, their lengths can be longer than the old routes. 2. Exp. 2: End-to-end delays to number of sniffing nodes and movement speeds. In the experiment, as pause time was fixed at 10 s, different situations of 2, 5, 10, 30, and 50 m/s movement speeds, and 0, 2, 4, 6, and 8 malicious nodes were considered, separately. The endto-end delay times are shown in Figure 8. In this figure, the movement speed has no great effect on the delay time when there are only a few sniffing nodes (#m node = 0 or 2), however, when there are more sniffing nodes (#m node = 4, 6, or 8), the movement speed has obvious effects on delay times. This is because more sniffing nodes are isolated, resulting in longer routes, and possibly quick movements cause more route breaks. 3. Exp. 3: Packet arrival rates to number of sniffing nodes and movement speeds. In the experiment, as pause time Figure 8. End-to-end delay time versus move speed, and comparison with regular AODV. Figure 9. Packet arrival rate versus sniffing node number. was fixed at 10 s, different situations of 10 and 50 m/s movement speeds, and 0, 2, 4, 6, and 8 sniffing nodes were considered, separately. The packet arrival rates are shown in Figure 9. When the number of sniffing nodes increases (#m node = 6 or 8), the rate may lower in the case of movement speed at 50 m/s; however, there is no obvious descent in the case of movement speeds at 2, 5, and 10 m/s. 4. Exp. 4: Path lengths to number of sniffing nodes. This experiment investigated the route length established by Figure 10. Path lengths and comparison with the regular AODV. 916 Security Comm. Networks 2011; 4: John Wiley & Sons, Ltd.

8 M. Y. Su and S. C. Yeh Mobile ad hoc networks the proposed routing protocol, and made a comparison with the regular AODV. The nodes were set to random movement, at a speed of 10 m/s, with no pause (pause time = 0). In 10 experiments, the maximum and minimum path lengths for each case are shown in Figure 10. With the increase of sniffing nodes, the maximum path length increases from 9 hops to 12 hops, but the minimum path has little change, remaining at 2 or 3 hops. We note that the proposed routing protocol cannot coexist with regular AODV in a MANET because they have different message formats and functions. If some nodes are performing the proposed routing protocol, and the other nodes are performing the regular AODV, then the MANET will be separated to two networks. 5. CONCLUSIONS Most malicious applications, by setting NIC to promiscuous mode, work in the Session layer or Application layer in the OSI model, because their primary goal is to sniff all data packets and retrieve valuable information. So, in the attack classification, sniffing attack has been classified as a passive attack since it follows all regular protocols without generating forged messages, silently sniffing packets. In the literature, there are several approaches [17--21] focused on detecting sniffing nodes in wired networks. However, none of them can be applied to wireless MANETs. This study proposes a modified AODV in order to detect and isolate sniffing nodes in ad hoc networks. The proposed AODV-based routing protocol includes a self-detection mechanism, which crosses MAC and Network layers in the OSI model, to report if a node is set to promiscuous mode. Since sniff-based malicious applications usually work above the Network layer, which is also assumed in this study, the proposed routing protocol is effective and secure for detecting sniffing nodes in MANETs. Extended experiments by NS-2 were performed to show its excellent performance. ACKNOWLEDGEMENTS This work was partially supported by the National Science Council with contract NSC E REFERENCES 1. Perkins C, Belding-Royer E, Das S. AD Hoc On-demand Distance Vector (AODV) Routing, RFC3561, Johnson DB, Maltz DA, Hu YC. The Dynamic Source Routing Protocol (DSR) for Mobile AD Hoc Networks for IPv4, RFC 4728, February Sun B, Wu K, Pooch UW. Routing Anomaly Detection in Mobile Ad hoc Networks, In Proceedings of the 12th International Conference on Computer Communications and Networks, pp , Sun B, Wu K, Pooch UW. Towards Adaptive Intrusion Detection in Mobile AD Hoc networks, In Proceedings of the IEEE Global Telecommunications Conference, Vol. 6, pp , Tseng C-Y, Balasubramanyam P, Ko C, Limprasittiporn R, Rowe J, Levitt K. A Specification-based Intrusion Detection System for AODV, In Proceedings of the 1st ACM Workshop on Security of Ad hoc and Sensor Networks, pp , Gwalani G, Srinivasan S, Belding-Royer K, Kemmerer EM, Kemmerer RA. An Intrusion Detection Tool for AODV-based AD Hoc Wireless Networks, In Proceedings of the IEEE International Conference on Computer Security Applications Conference, pp , Ning P, Sun K. How to misuse AODV: A case study of insider attacks against mobile ad hoc routing protocols. Ad Hoc Networks 2005; 3(6): Wang W, Lu Y, Bhargava BK. On Vulnerability and Protection of AD Hoc On-demand Distance Vector Protocol, In Proceedings of the 10th International Conference on Telecommunications, Vol. 1, pp , Yingfang F, Jingsha H, Guorui L. A Distributed Intrusion Detection Scheme for Mobile Ad Hoc Networks, IEEE Computer Software and Applications Conference, Vol. 2, pp , Liu J, Fu F, Xiao J, Lu Y. Secure Routing for Mobile Ad Hoc Networks, Software Engineering, Artificial Intelligence, Networking, and Parallel/Distributed Computing Conference, Vo. 3, pp , Wang F, Huang C, Zhao J, Rong C. IDMTM: A Novel Intrusion Detection Mechanism Based on Trust Model for Ad Hoc Networks, In Proceedings of the IEEE 22nd Advanced Information Networking and Applications Conference, pp , Bose S, Kannan A. Detecting Denial of Service Attacks using Cross Layer based Intrusion Detection System in Wireless Ad Hoc Networks, IEEE Signal Processing, Communications and Networking Conference, pp , Trang CM, Kong H-Y, Lee H-H. A Distributed Intrusion Detection System for AODV, IEEE Asia-Pacific Conference, pp. 1--4, Aug Bo S, Osborne L, Yang X, Guizani S. Intrusion Detection Techniques in Mobile Ad Hoc and Wireless Sensor Networks. IEEE Wireless Communications 2007; 14(5): Pahlevanzadeh B, Samsudin A. Distributed hierarchical IDS for MANET over AODV+, IEEE Telecommu- Security Comm. Networks 2011; 4: John Wiley & Sons, Ltd. 917

9 Mobile ad hoc networks M. Y. Su and S. C. Yeh nications and Malaysia International Conference on Communications, pp , Tamilselvan L, Sankaranarayanan V. Prevention of Blackhole Attack in MANET, IEEE Wireless Broadband and Ultra Wideband Communications Conference, pp , Wu D, Wong F. Remote Sniffer Detection, Computer Science Division, University of California, Berkeley, December 14, Grundshober S. Sniffer Detector Report, Global Security Analysis Lab., Zurich Research Laboratory, IBM Research Division, June Trabelsi Z, Rahmani H, Kaouech K, Frikha M. Malicious Sniffing Systems Detection Platform, In Proceedings of the IEEE Intl. Sym. on Applications and the Internet,pp , Sniffdet -- Remote Sniffer Detection Tool/Library. sniffdet.sourceforge.net/index.html. 21. AbdelallahElhadj H, Khelalfa HM, Kortebi HM. An Experimental Sniffer Detector: SnifferWall, Basic Software Lab., CERIST, Nmap Tools. securityfocus.com. 23. The Network Simulator---ns Security Comm. Networks 2011; 4: John Wiley & Sons, Ltd.