International Journal of Advanced Computer Science, Vol. 3, No. 6, Pp. 310-317, Jun., 2013.

On the Design of a New Intrusion Detection System for Securing MANET: An Agent-Based Approach
Leila Mechtri, Fatiha Djemili Tolba, & Salim Ghanemi
Manuscript
Received: 2, Nov.,2012 Revised: 7, Dec.,2012 Accepted: 10, May,2012 Published: 15, May,2012

Keywords
Security, MANET, IDS, MAS, Distributed, Cooperative.

Abstract Mobile Ad-hoc NETworks, or MANETs for short, are increasingly gaining popularity. However, these networks are more vulnerable to attacks than wired networks. This is, mainly, due to their special nature and to the numerous constraints they present. Although many research works have been devoted to develop security mechanisms for MANETs, but still the optimal and efficient security solution not found. In this paper, we focus on intrusion detection in the mobile ad-hoc networks. Starting by an overview of the existing work in this field, and ending up with the proposal of a new distributed and cooperative architecture for intrusion detection. In order to overcome the weaknesses and flaws of the existing MANET intrusion detection systems (IDSs), this architecture integrates an agent-based detection process. So, the main principle of the proposed architecture is based on: (a) the distribution which is achieved through the implementation of a local intrusion detection system on each network node, and (b) the cooperation that is guaranteed by mobile and stationary agents collaboration. In that way we were able to have an IDS with so many interesting features such as: flexibility, distribution and cooperation, autonomy, lightweight, reactivity and fault tolerance which are extremely desired for any MANET intrusion detection system. The paper also discusses various constraints and limitations related to MANETs; and shows how effectively does our IDS manage to overcome them.

1. Introduction
A wireless ad-hoc network consists of a collection of mobile nodes that communicate with each other via wireless links without the help of any pre-existing infrastructure. Each node can function both as a router and as a host. In other words, the nodes communicate directly with each other if they are in the same range of transmission, otherwise, intermediate nodes will be involved to forward the messages. Unlike wired networks, MANETs are more vulnerable to attacks. This is due to the numerous constraints they present such as: the absence of a fixed infrastructure, the dynamic topology change, their dependence on cooperative
Leila Mechtri, Fatiha Djemili Tolba, and Salim Ghanemi are with Badji Mokhtar University, Algeria. ( mec hteri@lrs-a nab a.net, fati ha.djemili@univ-a naba.org, ghane misalim@yahoo.com)
ch n ba ih n em

communication and the unreliability of wireless links, etc. Hence, providing security in such networks is a prime concern. Unfortunately, conventional security mechanisms such as authentication and firewalls are not sufficient or non-dedicated to guarantee the security of an ad-hoc network. This, jointly with the rapid proliferation of attacks, leads to the emergence of a new trend, in the security field known as intrusion detection. Intrusion detection is the process of monitoring and analysing events of computer systems or networks and trying to uncover any set of actions that attempt to compromise the integrity, confidentiality or availability of a resource [1]. There are two main intrusion detection techniques, namely anomaly detection [2] and misuse (or signature-based) detection [2]. Anomaly detection techniques model normal behaviour i.e., they compare observed data to normal patterns in order to uncover abnormal patterns of behaviour. Whereas, misuse detection techniques deal with attack behaviour i.e., they compare observed data to known attack patterns. A hybrid intrusion detection that combines both anomaly and misuse detection can be considered as a third technique of detection. Each of these techniques has some advantages over the other one, but at the same time, they present some serious drawbacks. For instance, misuse detection is effective for detecting known attacks but it is generally not able of detecting new attacks that have not been previously defined. Unfortunately, this inability to detect unknown attacks causes the generation of a certain number of false negative alarms. On the other hand, anomaly detection allows the detection of new attacks as it focuses, during its analyses, on any deviation from the normal behaviour of the supervised system rather than being limited to the search of some specific attack scenarios. However, this might lead to the generation of a significant number of false positive alarms since it is often difficult to perfectly model the systems normal behaviour. The source of data used by those techniques can be the host on which the intrusion detection system (IDS) is run as it can be the network itself. Thus, we come to distinguish between two classes of IDSs which are Host-based IDSs (H-IDS) and Network-based IDSs (N-IDS). This paper presents MASID (Multi-Agent System for Intrusion Detection), a new intrusion detection system for MANET in which a collection of agents takes up the performing a distributed and cooperative intrusion detection. By using agents we look, not only, for a complete automation of the detection process but also to take

L. Mechtri et al.: On the Design of a New Intrusion Detection System for Securing MANET: An Agent-Based Approach.

311

advantage of the interesting characteristics presented by an agent technology. This, in order to achieve better detection rates coupled with low use of both host and network resources as well as minimizing the IDS runtime and allocated resources. The remainder of the paper is organized as follows. The following section presents a brief survey of current research in intrusion detection for wireless ad-hoc networks. Section 3 introduces the notions of agents and multi-agent systems in some detail about their utility for intrusion detection. Section 4 describes the proposed intrusion detection framework. Section 5 discusses some problems related to resource constraints in MANETs and explains the way our IDS deals with those limitations. Section 6 concludes this paper by summarizing our approach and outlining some future research directions.

2. Related Work
There are many IDSs designed for wired networks, but they are, still, unsuitable for their counterpart ad-hoc networks. For instance, MANETs inherent features such as: the dynamic network topology changes and the lack of a centralized network management point, make direct application of these approaches to MANETs a heavy task if not impossible. For that reason researchers have proposed new approaches for intrusion detection in MANETs. In the literature MANET IDSs are generally categorized into four main categories (architectures). These include stand-alone IDSs, distributed and cooperative IDSs, hierarchical IDSs and agent-based IDSs. A. Stand-alone IDSs In this category of IDSs, the detection process is performed on each node, and there is no cooperation or data exchange between the network nodes. A typical example is that of [3], termed CAIDS (Context Adaptive Intrusion Detection System) which is able to dynamically adapt to contextual factors at a given node such as residual energy, potential security threats and trafc loading to accommodate and inspect new arriving packets. Through the use of an intelligent IDS controller, CAIDS selects optimal values to execute the intrusion detection plan for MANET systems under energy constraints. Here, the main disadvantage is that the authors main focus was to adapt the IDS to the different contextual factors of the network nodes neglecting the fact that the nature of MANET implies the cooperation of the different nodes of the network in order to get a global vision of what is happening in the network. The absence of such global vision might be the main source of network vulnerability to distributed attacks. B. Distributed and Cooperative IDSs MANETs are distributed by nature and requires nodes cooperation. In a distributed and collaborative IDS architecture, every node in the MANET must participate cooperatively in intrusion detection and response.
International Journal Publishers Group (IJPG)

For instance, F. Abdel-Fattah et al. [4] presented the architecture and operation of a distributed and cooperative intrusion detection system for ad-hoc networks in which both anomaly detection and signature-based detection methods were used. In particular they exploited two anomaly detection methods: Conformal Predictor K-Nearest Neighbour (CP-KNN) and Distance-based Outlier Detection (DOD). For the implementation of the signature-based method they focused on three types of attacks which are resource consumption attack, dropping routing traffic attack and blackhole attack. The proposed intrusion detection model consists of two major components that are Gateway Intrusion Detection (GID) and Local Intrusion Detection (LID). Gateway Intrusion Detection comprises of three components: Global Detection Module (GDM), Global Response Module (GRM) and Cooperation Module (CM). A gateway node can optimize energy use by scheduling only a subset of region members who will activate their monitoring sensor agents at one time. Other region members can minimize their energy consumption at the same time. LID is mainly divided into: Data Collection module (DCM), Pre-process Module (PM), Local Detection Module (LDM) and Local Response Module (LRM). The DCM collects audit data from various ad-hoc network sources and passes it to the PM. PM selects informative features from all features set, and then pass these features to the LDM. The LDM analyses the collected local data using CP-KNN and DOD classification algorithms, and identifies malicious nodes in the ad-hoc network. The main advantage of this approach is the detection accuracy. However, it may cause the degradation of the network performance with the traffic exchanged between the different LID and GID. C. Hierarchical IDSs This architecture proposes using multi-layered network infrastructures where the network is divided into clusters. The main idea behind this architecture is that instead of performing host-based IDS at each node, a cluster head (CH) is selected to collect security-related information from nodes in a cluster and determines if an intrusion has occurred. In [5], N. Marchang and R. Datta introduced two intrusion detection algorithms, termed ADCLI (Algorithm for Detection in a CLIque) and ADCLU (Algorithm for Detection in a CLUster). Both of them are based on the collaboration of a group of nodes that are either directly connected (clique) or within a one-hop-route of each other (cluster) to determine the malicious nodes, among them, by voting. Messages are passed between the nodes and depending on the received messages, these nodes determine the suspected nodes (nodes that are suspected to be malicious). These suspected nodes (votes) are eventually sent to the monitor node (the initiator of the detection algorithm). At the monitor node, the suspected nodes that receive at least a minimum number of votes are nally detected as malicious nodes. Hence, the algorithms work in such a way that a group of nodes together make the decision, about the maliciousness of a node, which minimizes the

312

International Journal of Advanced Computer Science, Vol. 3, No. 6, Pp. 310-317, Jun., 2013.

false positive rate. This may, however, create latency in terms of the IDS response as single nodes are not given the authority to decide about the maliciousness of another node even if they have enough evidence. Recently, Darra et al. [6] presented a hierarchical cluster-based IDS architecture for MANET. The proposed IDS architecture is organized into autonomous and distributed multi-levelled hierarchies. Each level consists of several clusters in which specific nodes act as cluster heads gathering local audit data from their cluster members, analysing them and extracting security-related information. In order to improve detection accuracy and reduce energy consumption, this architecture adopts and enhances the mobility and energy aware clustering algorithm (MEACA), which maximizes the clusters stability by choosing nodes with relatively low mobility and high energy to become cluster heads. Thus, the key advantage of the proposed IDS is that its detection accuracy is not affected by nodes mobility, since each cluster includes nodes with similar direction and speed. Thus, mobile nodes of the same cluster appear more static to each other thereby avoiding cluster reformation. Moreover, this IDS balances the energy consumption in a fair and efficient manner. For instance, nodes with adequate energy undertake more detection responsibilities than nodes with low power. A major problem, not tackled in both works, is the fact that, in a hierarchical architecture, there should be a mechanism for preventing a compromised node from being elected as a CH. Nevertheless, this architecture still the best choice in cases where not all the nodes are capable of performing IDS tasks either because of their limited resources or due to their weak computational capabilities. D. Agent-based IDSs This architecture is based on the distribution of the intrusion detection tasks amongst a number of mobile agents. FORK [7] is a novel two-pronged strategy to an agent-based system for ad-hoc networks in which only those nodes that are capable of participating in the intrusion detection, in terms of their available resources, are allowed to compete for and get the IDS agent tasks. The authors base the task allocation process on principles of auctioning. Whenever one or more nodes detect certain changes in the network, they initiate an auction process by submitting auction requests to the rest of the network. The interested nodes submit their bids to the initiating nodes that, then, choose them from several metrics including a battery power metric. Finally, the chosen nodes perform the intrusion detection using the Ant Colony Optimization (ACO) algorithm. This IDS seems to be somewhat insecure as no description about the security of the mobile agents is present.

3. Agents and Multi-Agent Systems (MAS)

An agent can be defined as a computer system that is capable to execute autonomous actions in its environment,

in a flexible and intelligent manner, in order to achieve a predened goal. Therefore, a multi-agent system is a system that consists of a collection of autonomous agents that can interact together to learn or to exchange experiences. This interaction is, generally, achieved by means of communication: agents may command, request, advice, or permit each other to do certain actions. Generally, agents communicate with their peers by exchanging messages in an expressive agent communication language [8]. This latter allows agents to effectively communicate and exchange knowledge with other agents despite internal differences in hardware platforms, operating systems, architectures, programming languages and reasoning systems. Example languages are Knowledge Query Manipulation Language (KQML) and FIPA's (Foundation for Intelligent Physical Agents) Agent Communication Language (FIPA-ACL). The former, which was proposed by ARPA Knowledge Sharing Effort in 1992, is based on the speech act theory: messages are actions, or communicative acts, as they are intended to perform some action by virtue of being sent. The KQML language is a message-oriented communication language and protocol for information exchange independent of content syntax and applicable ontology. It is divided into three layers: the content layer, the message layer, and the communication layer. It uses the KIF (Knowledge Interchange Format) language to describe the content of a message. KIF is an ASCII representation of first order predicate logic using a LISP-like syntax (i.e., a balanced parenthesis list). Similarly to KQML, FIPA-ACL (1997) [9] is based on the speech act theory. FIPA-ACL specifies a standard message language that consists of a set of message types and the description of their pragmatics, that is, the effects on the mental attitudes of the sender and receiver agents. Every communicative act is described with both a narrative form and a formal semantics based on modal logic. Multi-Agent Systems usually encompasses three main types of agent architectures, namely: reactive, deliberative [10, 11] and hybrid architecture [12] where aspects of both reactive and deliberative agents are combined. Reactive agents do not have representations of their own environment and act using a stimulus/response type of behaviour; they respond to the present state of the environment in which they are situated. They do not take history into account or plan for the future. Reactive agents make decisions based on local information. Thus, they cannot take into consideration non-local information or predict the effect of their decisions on the global behaviour of the MAS. Moreover, they lack adaptability as they cannot generate an appropriate plan if faced with a state that was not considered a priori. Despite these limitations, reactive agents still have the advantage of being speed which necessarily makes them desired in rapidly changing environments. The second type of agent architectures is the deliberative one. The key component of a deliberative agent is a central reasoning system [13] that constitutes the intelligence of the agent. Unlike reactive agents, deliberative agents maintain a model of the internal state and they are able of predicting
International Journal Publishers Group (IJPG)

L. Mechtri et al.: On the Design of a New Intrusion Detection System for Securing MANET: An Agent-Based Approach.

313

the effects of their committed actions. More importantly, these agents are mainly characterised by their ability to generate plans that successfully lead to the achievement of their goals even in unforeseen situations. Unfortunately, a major problem with deliberative agents is that the sophisticated reasoning can slow them which may cause latency in the reaction time which is undesirable especially in case of real-time systems. Briefly, agents, in multi-agent systems, have several interesting characteristics, among which we can cite: Autonomy: agents operate without the direct intervention of humans or others, and have some kind of control over their actions and internal state. In other words, it takes actions based on its built-in knowledge and its past experiences; Social ability: agents interact with other agents via some kind of agent-communication language; Reactivity: agents perceive their environment and respond in a timely fashion to changes that occur in it; Pro-activeness: agents do not simply act in response to their environment, but they are able to exhibit goal-directed behaviour by taking initiative [14].

case, data provided by neighbouring nodes can help in taking a definitive decision about the detected suspicious actions. For instance, an attack that is unknown for a node might be known for another node and thus this latter can confirm the attack and, if possible, it will provide the victim node with information about how to respond to it as shown in Fig. 1. Fig. 2 illustrates the steps followed by MASID to look for and respond to intrusions.
Data collection and filtering

Normal Classification

Abnormal Compare with known attacks Known attack

4. Proposed Intrusion Detection System

In this section, we present MASID (Multi-Agent System for Intrusion Detection), a new MANET intrusion detection system, inspired in part by [15], and in which we divided the intrusion detection task into subtasks and distributed them among a number of agents. More specifically, MASID consists of a collection of local IDSs, distributed among all the networks nodes.
LID S LID S

Unknown attack/uncertain Collect more information (collaborate with other nodes)

Yes

Attack confirmed No

MA

MA

LID S
MA MA

Update attacks database

Update normal behavior

M A

Inform other nodes

LID S

LID S

MA

Appropriate response
Fig. 1 Distributed Intrusion Detection Using MASID Fig. 2 Intrusion Detection Process

Each local IDS runs independently and monitors local activities. It detects intrusions from local traces and initiates local and global response. If an anomaly is detected in the local data, or if there are signs of intrusion and there is not enough evidence, neighbouring local IDSs will cooperatively participate in the detection process, either by participating actively in the response or by, simply, providing some additional information (depending on the results of the local intrusion detection process). In this latter
International Journal Publishers Group (IJPG)

A. Local IDS Each local IDS consists of four agents, playing different but complementary roles, and working together as shown by Fig. 3. These agents are either stationary or mobile agents, depending on the task they are performing. Furthermore, they adopt two different architectures: they are either reactive or deliberative agents but they share some

314

International Journal of Advanced Computer Science, Vol. 3, No. 6, Pp. 310-317, Jun., 2013.

MANET node Detection agent

Known attack

Response Agent Response to known attacks Collaboration Agent Inform other nodes Update normal profiles
Unknown/Uncertain

Detector (misuse detection)

Classifier (anomaly detection)

Collector

SNMP Agent

Collect more information

Update known attacks

Local routing data

MIB

Fig. 3 Proposed Local Intrusion Detection Architecture

interesting characteristics. For instance, each agent is autonomous, cooperative, intelligent, rational and able to communicate with other agents. By using agents we then look for a complete automation of the detection process. 1) Collector: The rst agent, data collection agent, is a reactive agent that captures and gathers audit data from various sources. We suggest two local data sources to be used: Simple Network Management Protocol (SNMP) data located in Management Information Base (MIB) and routing tables. Actually, the use of data stored in MIBs reduces the use of additional resources to collect data as an SNMP agent is already run on each node. Moreover, it has been proven that the analysis of MIBs data permits an early detection of Distributed Denial of Service (DDoS) attack [16] which we will focus on during the detection process. More importantly, the use of such data source can solve the problem of MANET nodes heterogeneity. In order to access MIB data, collector sends SNMP requests (GET and GETNext) to the SNMP agent charged of the local MIBs management. This agent is also responsible for filtering the collected data so that it keeps only those features that will be used by the detection agent during the detection process. 2) Detection Agent: The second agent is a classification and detection agent. It uses data provided by collector to investigate and look up for signs of intrusions. It includes both a misuse detection (detector) and an anomaly detection (classifier) engine: anomaly detection to detect the different anomalies, and misuse detection to determine the exact

types of the previously detected anomalies (types of attacks), if possible. More specifically, classifier starts the detection process by analysing the collected data in the search for any deviation from the nodes normal behaviour. If so, then detector will intervene to determine the exact type of the deviation in order for the response agent to be able to adequately react to it. The detectors intervention is nothing but a simple comparison of the suspected scenario to the known attacks signatures. If no, or little, matches are found then the local intrusion detection system will consider that there is not enough evidence, and will look for more information by cooperating with other local IDSs by means of the collaboration agent. 3) Response Agent: The response agent is a deliberative agent. Its main function is to react to the detected intrusions, as quickly as possible, in order to prevent any potential future damage. Actually, the detection agent, upon detecting a known attack, will inform the response agent of its type so that this latter can perform the appropriate response. Active responses may include dropping the connectivity to the potential attacker. This agent is also concerned with the update of both nodes normal profiles and known attacks databases. 4) Collaboration Agent: The collaboration agent serves as a communication channel. This mobile agent is in charge of sharing information out among the former agents as well as informing other local IDSs with the detection results and if needed ask them for more information.

International Journal Publishers Group (IJPG)

L. Mechtri et al.: On the Design of a New Intrusion Detection System for Securing MANET: An Agent-Based Approach.

315

In the former case, it provides the neighbouring nodes LIDS with signatures of the newly detected attacks in order for them to update their own attack databases. In the latter case, on the contrary, it looks for complementary information on its neighbouring nodes. This collaboration is quite useful especially for the detection of network distributed attacks. B. Secure Communication Between Local IDSs As we have mentioned earlier, we will have local IDSs running on each individual node of the ad-hoc network. Each of these local IDSs will have to communicate with other local IDSs in the network to convey information about the status of the system or to participate in a global intrusion detection and response. It is then highly recommended that the information being passed from one local IDS to another should be secured as to not allow an attacker to gain access to the communication.

to deal with the detected attack, and the collaboration agent to inform the other network nodes. After performing the necessary actions, the activated agents will reset themselves to the sleep state in order to preserve the systems resources. Otherwise, i.e. the detection agent detects an unforeseen state, so, only the collaboration agent will be activated to look for more information on neighbouring nodes as illustrates Fig. 4 (e). The response agent is, latterly, activated (Fig. 4 (f)) to either generate the appropriate response to the newly detected attack or to update the normal profiles database. In some cases and if necessary, it might happen that many agents become active at the same time. For example, collector can become active while collaborator and/or the response agent are active, of course if new data is ready to be collected and the response, for example, has not yet been completely performed as shown in Fig. 4 (g).

5. Resource Constraints
Limited resource constraints such as energy, processing capacity, and memory are important features to, unavoidably, consider when designing intrusion detection systems for MANETs. A. Resource Conservation Regarding resource constraints in MANETs, we sought to adapt the behaviour of our IDS, MASID, and thus of its constituting agents, according to the nodes state (whether it is under attack or not). In this way, we can preserve both system and network resources, to the maximum possible. This could be achieved by creating a kind of active/sleep transition in state (i.e., Switching between the active and sleep agents states) for each of MASIDs composing agents. Sleep refers to a state where the concerned agent is not performing any actions. In such situation the agent will free all the resources pre-allocated to it. On the other hand, active state refers to the agents state when performing its actions. If we consider the example in Fig. 4, we see that at a certain moment (c.f. Fig. 4 (a)) all the agents are in a sleep state with the exception of the SNMP (Simple Network Management Protocol) agent that still managing the local MIB (Management Information Base). When new data is stored in the local MIB, collector switches its state to active and communicates with the SNMP agent to get the newly stored data as shown in Fig. 4 (b). After filtering these data, so that to keep only the necessary information for the detection process; collector activates the detection agent to start the detection process. At this moment, it sets again its state to the sleep state and maintains that state until new data is present in the MIB (c.f. Fig. 4 (b)). Fig. 4 (c), (d), (e) and (f) illustrate the two possible scenarios resulting from the activation of the detection agent. The first scenario presented in Fig. 4 (c) and (d) shows the case where the detection agent detects one of the known attacks. In this case, it will activate both the response agent,
International Journal Publishers Group (IJPG)

(a)
S C D S

(b)
C D

(c)
S C D S

(d)
C D

(e)

(f) S: SNMP Agent; C: Collector; D: Detection Agent; B: Collaboration Agent; R: Response Agent.

(g) Sleep State Active State Activation

Fig. 4. Sample Scenario of Intrusion Detection Using MASID

B. Runtime Attacks against MANETs are being more and more severe and difficult to detect, to the extent that they may cause a total crash of the network being attacked. Example attacks are blackhole and grayhole attacks. In the former, the attacking node drops all incoming packets, thereby preventing them from reaching their legitimate destination.

316

International Journal of Advanced Computer Science, Vol. 3, No. 6, Pp. 310-317, Jun., 2013.

The latter, on the other hand, starts, by the attacking node, through misleading and gaining trust of the other network nodes by playing the role of a legitimate network node, which makes it very difficult to be suspected or detected. Then, it launches the real attack by absorbing all the traffic that passes through it and selectively dropping the absorbed packets. Prevention of attacks becomes a questionable security solution when facing such sophisticated attacks. Thus the elimination of such attacks requires an, as quick as possible, intervention. This imposes that the intrusion detection system should be able to provide not only a quick detection but also a rapid response to limit the potential damage. In the case of MASID, the parallel execution of the different intrusion detection tasks, through the use of several agents, each performing a specific detection subtask, permits a considerable reduction of the runtime. This means faster detection and response to attacks. In other words, MASID is able to detect attacks as soon as they are injected in the network, thereby preventing great damages. To sum up, we created a kind of trade-off between the speed of execution, which is necessary to guarantee immediate responses to attacks, and resource conservation, which is extremely important for the survivability of the network. In addition, the shift of agents state from active to sleep helps, greatly, in the preservation of the nodes resources mainly in terms of memory, processing capacity and energy.

6. Comparison
Table 1 compares MASID to the previously discussed IDSs.

7. Conclusion and Future Work

In this paper we presented MASID, a new intrusion detection system for ad-hoc networks. It is based on an agent-based detection process incorporated within a distributed and cooperative architecture. The main advantages of the proposed intrusion detection scheme can be summarized in the following points. First, no central entity is needed for data correlation. This increases the fault-tolerance of the system as no single point-of-failure is present. Besides, we could achieve more flexibility and a complete automation of the intrusion detection process through the use of agents. The paper also addressed the problem of limited resource constraints in MANET and provided optimal solutions to cope with those limitations. Currently, the research is taking place in developing and practically evaluating the proposed IDS so that we can compare its performance with existing MANET IDSs. Our long term objective is to improve the framework, by adding a mechanism for securing the IDS agents and by creating a kind of agent replication that will permit the recovery of the system in case of the failure of one or more of its

TABLE 1 Comparison of Some Existing MANET IDSs

IDS

CAIDS [3]

ADCLI/ ADCLU [5]

Darra et al. [6]

A-Fattah et al. [4] Distributed & cooperative

FORK [7]

MASID Distributed & cooperative + Agent-based

Architecture

Stand-alone

Hierarchical

Agent-based

Detection technique

Anomaly detection Misuse detection Hybrid detection Host

Data Source

Neighbourhood Network Passive

Response Active Energy Resource constraints Node Mobility Node load

International Journal Publishers Group (IJPG)

L. Mechtri et al.: On the Design of a New Intrusion Detection System for Securing MANET: An Agent-Based Approach.

317

constituting agents.

References
[1] R. Heady, G. Luger, A. Maccabe and M. Servilla, The architecture of a network level intrusion detection system Technical Report, Computer Science Department, University of New Mexico, August 1990. T. Anantvalee and J. Wu, A Survey on Intrusion Detection in Mobile Ad Hoc Networks, In: Wireless/Mobile Network Security, Springer (2006), pp. 170 -196. B.-C. Cheng and R.-Y. Tseng, A Context Adaptive Intrusion Detection System for MANET, In: Comput. Commun. Elsevier (2010). F. Abdel-Fattah, Z. Md. Dahalin, and S. Jusoh, Distributed and cooperative hierarchical intrusion detection on MANETs, International Journal of Computer Applications (0975-8887), Vol. 12, No.5, Dec. 2010, pp. 32-40. N. Marchang and R. Datta, Collaborative techniques for intrusion detection in mobile ad-hoc networks, In: Ad Hoc Networks 6 (2008), pp. 508-523. E. Darra, C. Ntantogian, C. Xenakis, and S. Katsikas, A Mobility and Energy-Aware Hierarchical Intrusion Detection System for Mobile Ad Hoc Networks, In: TrustBus 2011, LNCS 6863, pp. 138-149, 2011. C. Ramachandran, S. Misra, and M. S. Obaidat, FORK: A novel two-pronged strategy for an agent-based intrusion detection scheme in ad-hoc networks, Computer Communications 31 (2008), pp. 3855-3869. M. Wooldridge and N. R. Jennings, Intelligent agents: theory and practice, Knowledge Engineering Review, October 1994. Y. Labrou, T. Finin, and Y. Peng, The current landsca pe of Agent Communication Languages, In: IEEE Intelligent Systems, vol. 14, No. 2, March/April, 1999. N. R. Jennings, E. H. Mamdani, I. Laresgoiti, J. Perez and J. Corera, Grate: A general framework for cooperative problem solving, IEE-BCS Journal of Intelligent Systems Engineering, Vol. 1, No. 2, 1992, pp. 102-114. A. Haddadi, and K. Sundermeyer, Belief-desire-intention agent architectures, In G. M. P. OHare and N. R. Jennings editors, Foundations of Distributed Artificial Intelligence, 1996, pp. 169-186. I. A. Ferguson, On the role of BDI modelling for integrated control and coordinated behaviour in autonomous agents, Journal of Applied Artificial Intelligence, Vol. 4, No. 9, 1995, pp. 421-448. M. L. Ginsberg, Universal planning: An (almost) universally bad idea, AI Magazine, Vol. 10, No. 4, 1989, pp. 40-44. M. Wooldridge and N. R. Jennings. Agent theories, architectures, and languages, In: Wooldridge and Jennings eds. Intelligent Agents, Springer Verlag, 1995, pp.1-22. J. S. Balasubramaniyan, J. O. Garcia-Fernandez, D. Isacoff, E. Spafford, and D. Zamboni, An Architecture for Intrusion Detection using Autonomous Agents, COAST Technical Report 98/05, June 1998. J. B. D. Cabrera et al., Proactive Detection of Distributed Denial of Service Attacks using MIB Trafc Variables-A Feasibility Study, IEEE (2001).

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

International Journal Publishers Group (IJPG)