A Smart Approach for Intrusion Detection and Prevention System in Mobile Ad Hoc Networks Against Security Attacks

Abstract

Design of intrusion detection and prevention scheme for improving MANET security, with considered energy efficiency, detection rate, delay, and false positive rate are major research issues. Most of the existing solutions have suffered to obtain accurate detection rate in minimal time execution and energy consumption. In this work we proposed a Smart approach for intrusion detection and prevention system (SA-IDPS) to mitigate attacks in MANET by machine learning methods. Initially, mobile users are registered in Trusted Authority using One Way Hash Chain Function. Each mobile user submits their following information to verify authentication: finger vein biometric, user id, and latitude and longitude. Intrusion detection is executed using four entities: Packet Analyzer, Preprocessing Unit, Feature Extraction Unit and Classification Unit. In packet analyzer, we verify whether any attack pattern is found or not. It is implemented using Type 2 Fuzzy Controller which considers information from packet header. In preprocessing unit, logarithmic normalization and encoding schemes are considered, which is time series and suitable for any application. In feature extraction unit, Mutual Information is used where we extracts optimum set of features for packets classification. In classification unit, Bootstrapped Optimistic Algorithm for Tree Construction with Artificial Neural Network is used for packets classification, which classifies packets five classes: DoS, Probe, U2R, R2L, and Anomaly, and then Association Rule Tree are used to classify whether the attack is Frequent or Rare. In this case, historical table is used for packets classification. Finally, experiments are conducted and tested for evaluating the performance of proposed SA-IDPS scheme in terms of Detection Rate (%), False Positive Rate (%), Detection Delay (s), and Energy Consumption (J).

1 Introduction

MANET is a type of self-configuring wireless network consists of mobile nodes connected via wireless links. Each mobile node will act as router. Mobile nodes are vulnerable due to its significant features such as dynamic topology, constrained capability, distributed co-operation, and open medium. Intrusion Detection and Prevention System (IDPS) is presented recently to detect and mitigate the security attacks in MANET [1, 2]. In conventional IDPS, individual node is required to run in the IDS agent to monitor intrusions, but this case does not suitable to detect attacks [3]. Intruders in MANET are classified as three classes: Masquerader, Misfeasor, and Clandestine User. Masquerader is an outsider who intend to access legitimate mobile nodes in unauthorized manner. Misfeasor is an insider, who misuse legitimate nodes privilege and clandestine user is either insider, or outsider, who intend to hold supervisory control on MANET [4,5,6]. IDPS is an important security element nowadays for any wireless networks. Intrusion detection refers to detection of malicious activities such as attacks, penetrations, break-ins, and so on [7]. Intrusion prevention system protects the system from attacks based on node behaviors. Intrusions are detected using data mining (DM) approaches and its main classification is follows: reinforcement learning, regression, classification, optimization, ensemble learning, rule based decision making and clustering [8]. Conventional machine learning approaches and deep learning based approaches have been proposed recently for intrusion detection and prevention [9, 10]. Previous solutions for IDS is designed on the basis of supervised algorithms include K-nearest neighbor (KNN), Support Vector Machine (SVM) [11], Naïve Bayes [12], Random Forest (RF) [13], etc. Likewise the commonly used deep learning algorithms are deep neural network (DNN), long short term memory (LSTM), convolutional neural network (CNN), etc. Deep learning algorithms are time consuming, and complex learning in some cases [14, 15]. Intrusion detection in MANET is a tedious task due to several challenges that are following [16].

1. 1.

   Selection of packet features to classify nodes into normal and attacker

2. 2.

   Immediate detection of attackers in network is important to mitigate impact of any malicious activities.

3. 3.

   Choose algorithm for efficient intrusion detection of any specific intrusion under highly dynamic environment

4. 4.

   Intrusions detection simultaneously with high detection rate with minimal false positive rate is a challenging.

Hence the best set of packet features result high detection rate, and minimal false positive rate in less detection time. Most of the IDS approaches lead to high false positive rate and low detection rate and also those approaches do not eliminate intrusions completely in network. Feature extraction, selection and transformation are plays the essential role in MANET for intrusion detection. Recently proposed feature extraction and selection techniques considered optimum set of features from all features set based on given test packet, which induces very small detection time to improve the performance of IDP.

Figure 1 indicates the intrusion detection in MANET, where we specified preliminary stages of intruder packets classification. Similar to intrusion detection in MANET, intrusion prevention is also plays significant role to mitigate attacks in MANET since most of the intrusion prevention schemes are insufficient after mobile nodes have been compromised by attacker nodes. Despite of inherent failures in dynamic nature of MANET, conventional cryptography techniques cannot be guarantee to prevent attacks, which leads to high computation expensive and overhead when MANET is highly vulnerable due to security threats [17]. In this paper we proposed a smart approach for Intrusion Detection and Prevention System (SA-IDPS) in MANET. SA-IDPS consists of the following major objectives:

• Design of effective and intuitive IDPS and is suited for real environments with highly dynamic mobility

• To provide immediate response to mobile nodes related to alarm events and to protect the information access.

• Achieve graceful Quality of Service (QoS) while functioning IDPS in MANET

• Propose IDPS model in MANET with high attack detection rate, minimal false alarm rate and overhead

Fig. 1

Intrusion detection in MANET

To attain the above mentioned objectives in this paper we provide the complete information of how intrusions detected and prevented in MANET.

Contributions The main contributions of this paper are follows:

• We employed two engines for intrusion detection and prevention, which is referred as IDE and IPE. We propose One Way Hash Chain (SHA-256) for preventing intrusions in MANET through trusted authority

• We consider four units for intrusion detection such as packet analyzer, data preprocessing unit, feature extraction unit, and classification unit.

• In packet analyzer, packet is classified either as normal or attack based on packet header information. Packet features are input variables send to Type 2 Fuzzy Controller (T2FC)

• In data preprocessing, two processes are considered as encoding and logarithmic and linear normalization.

• In feature extraction unit, optimum features are extracted and optimized using Mutual Information (MI) Function, where we extract only optimum set of features for intrusion detection.

• In classification unit, hybrid algorithm is considered for fast intrusion detection. Artificial Neural Network (ANN) is used to train the dataset and Bootstrapped Optimistic Algorithm for Tree Construction (BOAT) is introduced for normal packets and attack packets classification. Attack packets are classified into four classes: DoS, Probe, U2R, R2L and Anomaly. Then we find the attack type either frequent, rare or anomaly. This classification is made by Association Rule Tree (ART).

• We evaluate our SA-IDPS scheme effectiveness using NSL-KDD dataset and tested over NS3 simulation environment and experimental results demonstrate that the proposed scheme provides better results than the previous machine learning techniques.

Paper Organization We have structured our rest of the paper into five sections: Sect. 2 concerns systematic related work on intrusion detection and prevention under MANET with limitations. Sect. 3 details the problem statement where we highlighted the major challenges in recent available works. Section 4 discusses the proposed SA-IDPS in the field of MANET against security attacks. Section 5 demonstrates experiments and results of proposed and well-known previous intrusion detection methods. Section 6 concludes the paper and given future works.

2 Related Work

Over the last few years, enormous IDS methods have been presented to mitigate security attacks in MANET, which are aims at produce accurate attack detection results, but failed to improve the speed of detection and today MANET face several challenges due to security threats such as energy consumption and packet delivery ratio. Hence in this section we address limitations of recent works for intrusion detection and prevention over MANET.

Wahab et al. [18] have presented intrusion detection scheme using SVM over clustered vehicular ad hoc networks. Aim of this ID model is to reduce size of training set for SVM classifier and its advantage is to support for high mobility environment. Various kernel functions are used to test the performance of SVM. Finally the proposed method has proved that it improve the scalability of network with respect to number of nodes (normal and malicious). A drawback of this work is SVM since it failed to tune the parameter set and very complex to obtain better results. Singh and Bedi [19] have discussed multiclass extreme learning machine based Smart Trustworthy IDS with single hidden layer feed forward neural network to categorize nodes into trustworthy, partially trustworthy and malicious in KDD Cup Dataset. There are five agents are used in this paper such as data accumulation agent, preprocessing agent, trust degree computation agent, differentiation agent and decision making agent. ELM has proved that it suitable for intrusion detection in real-time, but it failed to improve the speed of attack detection evaluation. Kolias et al. [20] have proposed IDS to detect most popular attacks on 802.11 using several algorithms (Adaboost, J48, Naïvebayes, OneR, Random Tree, random Forest, ZeroR). Aegean WiFi Intrusion Dataset (AWID) is used in this work and also it is suited for UMTS, LTE, WiMax technologies. It is showed that J48 and random forest classification algorithms provide high detection rate and low false alarm rate. These two algorithms are simple and ease of use, but it failed to support for large scale datasets. Hence scalability is not achieved. Subba et al. [21] have discussed hybrid IDS with Bayesian game formulation to detect deprivation, flooding, DoS and foraging, blackhole attack, packet dropping attack by using unsupervised association rule mining (ARM) algorithms such as Apriori and Vickrey–Clarke Gorves (VCG). Furthermore a threshold based lightweight module and powerful anomaly based heavyweight module is proposed to obtain lower power consumption. The proposed model is heavyweight and thus it provides low attack detection rate and high false alarm rate. Ahmed et al. [22] have presented a new framework for DoS attack detection using finite state machine (FSM). Intrusion detection system with ad hoc on-demand distance vector (ID-AODV) protocol is proposed, which functions by FSM. There are three operational modules are involving in ID-AODV such as network monitoring, FSM, and DoS detection. In simulation, ID-AODV shows that it obtained better attack detection rate to show high security of mobile nodes in data transmission and collection, but authors does not conveyed about detection delay. Shanthi et al. [23] discussed the concept of intrusion detection and secure key management in MANET using trust metric. For each mobile node direct and indirect is computed and hierarchical group key management is proposed for information access control. Base station is deployed in network for group key generation, distribution and management. Through this work, network lifetime and packet delivery ratio is improved when presence of attackers, but attack detection rate with the use of trust metric is not investigated. Khan et al. [24] discussed about detection and prevention of attackers in network. In order to detect malicious nodes in network, detection and prevention nodes are deployed in network. If it determined any suspicious node, then broadcast this error message throughput the network.

Data packets forwarded by the suspicious node are eliminated in network. For intrusion detection and prevention, more statistical analysis and computation is required. This will results in high overhead and large energy consumption of network. Raja and Ganesh Kumar [25] have proposed a trusted cluster based routing protocol for MANET. A trust management (TM) is concentrated in this paper where they compute a trust value for all mobile nodes. When node has high trust value, then those are considered to be trusted nodes. The goal of this paper is to establish TM based routing protocol to enhance QoS in MANET. Simulation results proved that it obtained better performance for succeeding metrics: energy consumption, throughput, packet delivery ratio, and delay. Mobile nodes behavior is not a constant, which leads to given wrong opinion of someone. Anusha and Sathiyamoorthy [26] discussed an intrusions detection mechanism for MANET using trust based authentication and bio-inspired optimization algorithms. In order to prevent intrusions, certificate authority is deployed in MANET which generates public and private key pair. Deep packet inspection is implemented in this paper to improve MANET security and hence packet features are extracted for deep packet inspection. When attacker is determined in deep packet inspection, error message is send to certificate authority for taking necessary actions. Asymmetric technique can be used for message encryption and signing (validation), but it is very resource intensive and only supported and work well in small messages. Luong et al. [27] proposed a new protocol named as FAPRP, which is expanded as flooding attacks prevention routing protocol. This FAPRP is based on a machine learning approach implemented and tested over MANET. FAPRP is an extended version of AODV routing protocol created to mitigate flooding attacks. Experiments conducted and validated that FAPRP has reached 99% of detection rate for flooding attacks. However, flooding is an initial attack, which easily mitigated through packet header information, but several security attacks are still unsolved in MANET. One research work towards this idea i.e. detecting new security attacks in MANET is detailed in [28]. In this paper authors have proposed a node collusion method to classify normal and attacker nodes, which intend to mitigate two security attacks: wormhole and sinkhole attacks. For routing attacks prevention, route reserve method is proposed. This work has taken large computational time for nodes classification. Intrusion detection using NSL-KDD dataset is focused on some research works [29,30,31,32]. Ahmad et al. [29] studied about the performance comparison of RF, SVM and ELM for network intrusion detection. Each technique applied to detect intrusions with the trained NSL-KDD set. Finally, authors have concluded that ELM is suitable scheme for intrusions detection and validated for large size of dataset. This work tends to increase detection time since processing all preprocessed data with feature extraction and selection is time consuming. Yin et al. [30] tested NSL-KDD dataset using recurrent neural network (RNN) and the performance of RNN is compared with several classifiers such as J48, SVM, RF, and so on. It is supported for binary and multi-class classification. It shows better accuracy rate in intrusion detection. Training time of RNN is higher and hence authors have suggested that, in future long short term memory (LSTM) or gated recurrent unit (GRU) is used to address the issue. Recently, Khan et al. [31] proposed convolutional LSTM and spark ML (machine learning) is proposed for intrusion detection. However, both convolutional LSTM and spark ML require large amount of data for training process and also computations of this combined algorithm is very large. Xu et al. [32] proposed a GRU for network intrusion detection. In this paper, RNN is integrated to GRU for improving intrusion detection performance. Two different datasets are tested such as KDD 99, and NSL-KDD dataset. High total detection rate is 99.42% and 99.31% for KDD and NSL-KDD dataset, respectively. Similarly, they obtained low false positive rate such as 0.05 and 0.84 for KDD 99 and NSL-KDD dataset, respectively. Attack detection rate is very high, but detection time for intrusions becomes very high. It must be less to demonstrate the system has obtained better performance.

3 Problem Statement

In this section, we states the problems existed in the current works. From the review of literature, we come to know that there are still several challenges raised in the design of IDPS in MANET that are follows: (1). Lack of routing attacks detection with low alarm rate, (2). It does not scalable and practical to implement in real-time, (3). It does not sufficient to up-to-date evidences collection, (4). Not tolerant to loss of messages, (5). High message and computation overheads, and (6). It does not automatic and realtime routing recovery.

In [33] authors have proposed a neutrosophic intelligent system (NIS) using self-organized feature maps (SOFM) and genetic algorithm (GA). In neutrosophic system, rules are generated in terms of symbols instead of numerical values. In NIS, attack packets are identified by membership, non-membership, and indeterminacy degrees using SOFM. KDD dataset is tested in this neutrosophic system. GA is used to classify the packets into two classes: normal and abnormal. This paper is proposed generalized neutrosophic set, but it does not suitable for complex applications like intrusion detection. Adaptive fault tolerant mobile agent based IDS is proposed in [34], which tested for KDD dataset. Initially, attacks classification is implemented using TSVID (Trail based classifier using Support Vector Machine for Intrusion Detection) algorithm, NNIDS (Neural Network Approach to Intrusion Detection System), DF-IDS (Determinant Fuzzy system for Intrusion Detection) simultaneously. This work is failed to address of preprocessing issue since it is required to minimize the false positive rate and increase level of detection rate. TSVID algorithm does not perform well, when we have huge dataset with more noise so it is tricky for decision making. In [35] a new intelligent framework called INDIA, which is referred as intruder node detection and isolation in MANET. There are three processes are invoked in INDIA that are feature extraction, feature optimization and classification. Feature extraction is implemented using trust value (direct trust, indirect trust and total trust) computation for every node. Feature optimization is implemented using particle swarm optimization (PSO). Finally the optimized set of features is classified using NN. The speed of IDS is important element, which is very less in this work and trust computation is implemented itself is does not effective. In [36] a plug and play device was deployed in ad hoc networks which act as packets capture tool. Deep neural network (DNN) was proposed to detect DoS attacks, then convolutional neural network was proposed to detect XSS attacks and long short term memory (LSTM) was proposed to detect SQL attacks. It is implemented using NS2 simulator and tested over KDD Dataset. Plug and play device is cost effective and small power, which leads to low scalability and bringing this tool for IDS, is not practical. In [37] two algorithms are proposed for intrusion detection in networks such as improved PCA (Principal Component Analysis) and Gaussian Naïve Bayes Algorithm. An improved version of PCA minimize data pollution problem. Total number of weighted principal components is 12, which are selected using sequential selection. Feature dimensionality reduction was implemented by enhanced PCA and user behavior is classified using Gaussian Naïve Bayes Algorithm. Runtime of improved PCA is typically large since improved PCA does not select optimum set of features for classification. Gaussian naïve bayes algorithm for packets classification is less but detection rate is not high. In preprocessing, min–max normalization is applied, which is simple algorithm. In this paper, we addressed all abovementioned limitations for improving MANET security. The proposed methods are subsidized in the following section.

4 Proposed Work

In this current section we describe the proposed system for intrusion detection and prevention in detail under mobile ad hoc environment. Figure 2 demonstrates the system architecture for the proposed model.

Fig. 2

System architecture for SA-IDS in MANET

4.1 System Model

In last few years, researchers have designed intrusion detection and prevention based on conventional approaches, which are not giving predominant results in the aspect of attack detection rate and false positive rate. To mitigate such issues, in this paper we proposed a smart approach for intrusion detection and prevention in mobile ad hoc environment. Our proposed SA-IDPS comprised of Mobile Devices (MDs), Trusted Authority (TA), Packet Analyzer, Preprocessing Unit, Feature Extraction Unit, and Classification Unit. According to the definition of MANET, mobile users are moved rapidly for several locations in ad hoc environment. Network traffic occurs when data packets are received from nearby mobile users. We introduced intrusion detection and prevention engines for mitigating attacks. Packet analyzer will scrutinize the packets based on packet arrival time, num. of packets per flow, packet counts, and packet size from its packet header. Threshold for classifying attack pattern and normal pattern is determined using T2FC, which improves uncertainty while classifying packets. Then attack pattern found packets are forwarded to preprocessing unit, which executes two steps: encoding and normalization. Then normalized packets are forwarded to feature extraction unit, where we extract most optimum set of features, and then classification unit is initiated for packets classification using BOAT with ANN and further it is identified whether rare attack or frequent attack using ART. Trusted authority invoked in this paper for intrusion prevention and hence intrusion prevention engine is used where we generates One Way Hash Chain for each mobile user that fully protect the system from attacker nodes.

4.2 Packet Analyzer

In intrusion detection engine, packet analyzer plays a significant role to find attack pattern in the system. Packets from various locations are obtained in packet analyzer that is processed in intrusion detection engine, which is deployed in network. With the dynamic change of MANET users, packets threshold value may change since constant threshold value does not suitable and it leads to incorrect outcome. So it must be adaptive and required to be dynamic for classify attack patterns. To mitigate this issue, thresholding function is applied and it is computed and updated when each packet is arrival to the intrusion detection engine. For accurate and dynamic thresholding we proposed Shannon Information Entropy is used [38]. The measure of Shannon information entropy is continuous (change the probability value in dynamic way and a small amount of threshold change only when entropy is change by lesser amount). When the result from Shannon information entropy is certainty, then entropy value is zero. Shannon Information Entropy defined by Discrete Random Attribute \(X\) with set of results i.e. outputs as: \(x_{1} \ldots x_{n}\) and it is calculated by:

$$H\left( X \right) = \mathop \sum \limits_{i = 1}^{n} p\left( {x_{i} } \right)log_{2} \left( {\frac{1}{{p\left( {x_{i} } \right)}}} \right)$$

(1)

$$= - \mathop \sum \limits_{i = 1}^{n} p\left( {x_{i} } \right)log_{2} p\left( {x_{i} } \right)$$

(2)

where \(p\left( {x_{i} } \right) = { \Pr }\left( {X = x_{i} } \right)\) represents probability value for \(i{\text{th}}\) output of variable \(X\). \(H\) can be varied depending upon the spatial and temporal data of mobile devices and it communication to neighbor nodes. Packet header information is verified in each iteration.

In addition to basic packet features from packet header information, node \(i\) trust value is computed using following.

$$T_{i} = \frac{Num.packets\,sent\,sucessfully}{Num.of\,packets\,totally\,sent} \times 100\%$$

(3)

where \(T_{i}\) is the trust value of node \(i\), which is computed in percentage. Assume that the number of packets that totally sent by node \(i\) is zero, then \(T_{i}\) becomes zero, which means that node \(i\) is dropped all incoming packets, who determined as attacker node and this information is broadcasting to nearby neighbors of node \(i\). Total packet features are used in packet analyzer is depicted in Table 1.

Table 1 Packet header used in packet analyzer

The abovementioned features are given as input variables for T2FC, which perform classification for mitigating initial attacks. Type-2 fuzzy system is used to find the various applicability in a rule-based fuzzy systems since uncertainty can be easily modeled. However, type-1 fuzzy sets are not modeled the uncertainty issue. In addition, it minimizes the errors. Primarily, there are four components in T2FC that are fuzzifier, inference engine (Rules), type-reducer and defuzzifier.

Type 2 fuzzy sets are associated with the terms that will appear in Antecedent (if)/Consequent (then) as well as with the input and output of the T2FC. In this system, membership function is used to describe the fuzzy sets.

The main purpose of using T2FC is to resolve uncertainty issue and it can be easily deals with large size of inputs. Footprint of Uncertainty (FOU) is based on the primary membership function of type2 fuzzy set. T2FC can able to process imprecise perception based features. Input and output of Type 2 fuzzy sets for proposed model is following:

• Input Fuzzy Set Criteria (see in Table 1) that have taken into account for classification

• Output Fuzzy Set Normal or Attack

• Type 2 Fuzzy Variables Good, Fair and Poor (Fig. 3).

  Fig. 3

  

  T2FC running in packet analyzer

For generating Fuzzy IF–THEN rules, all available combinations of antecedent fuzzy sets are invoked. Algorithm for packet analyzer is following.

Algorithm for Packet Analyzer using T2FC

Step 1) Begin Step 2) Start T2FC Step 3) For all packets \(p_{k} \to \left( {k = 1 \ldots n} \right)\) Step 4) Examine packet features \(PF_{1} , \ldots ,PF_{7}\) Step 5) In T2FC do Step 6) Transform crisp input to fuzzified input set Step 7) Generate fuzzy if–then rules Step 8) Process in Inference Engine Step 9) Classify input packet based on packet features Step 10) Examine packet features by Packet Header Step 11) Check trust value of a node \(i\) Step 12) Compute threshold \(T\) for node \(i\) packet \(p\left( k \right)\) Step 13) If \((p_{k} \left( v \right) > T)//p_{k} \left( v \right) =\) value \(v\) of packet \(k\) Step 14) Accept packet Step 15) Else Step 16) Go to Neighbor Table Step 17) End if Step 18) End for Step 19) End

Consequents of fuzzy if–then rules are given via evaluators. Total number of rules generated for output processing is defined according to input variables. We have taken 7 input variables for classification. Proposed T2FC model has high potential to capture the uncertainties for subjective evaluation. This process is helps to mitigate some attacks such as initial flooding and probe attacks.

4.3 Data Preprocessing Unit

This unit gathers the accepted packets from packet analyzer and preprocesses these packets for classification. The data preprocessing step includes packet encoding, and normalization process that are following.

• Packet Encoding It is a new step that we considered in MANET for intrusion detection. In dataset, some features are depicted like abbreviations such as SF, SO, REJ, and RSTO. Before process into feature extraction unit, we transform abbreviation these features into numerical data. It plays vital role since features can be easily fed into input layer of any type of neural network should be numerical values.

• Normalization It is a commonly used step for preprocessing. Min–max normalization is a traditional data preprocessing algorithm, which does not suitable for all cases. Hence in this paper we proposed fast two step normalization techniques in which we execute two normalization steps. (1) Logarithmic: all packet features are converted into acceptable range. (2) Linear: we cap the feature values within 0 and 5. Equations of these steps are following.

  $$X_{Normalized} = \log \left( {X_{i} + 1} \right)$$

  (4)
  $$X_{Normalized} = \left( {A - B} \right)\frac{{X_{i} - \hbox{min} \left( {X_{i} } \right)}}{{max\left( {X_{i} } \right) - min \left( {X_{i} } \right)}}$$

  (5)

  where \(A = 5, B = 0\).

4.4 Feature Extraction Unit

In feature extraction unit, mutual information is used. We applied MI in preprocessed data. MI is working by Variable Dependence Estimation technique. It is based on both linear and non-linear variables. For this purpose, we have chosen this algorithm for feature extraction and optimization. The traditional definition for MI is follows: “It is a Symmetric Value computed between two Random Variables. It outcomes zero value and non-negative value for MI shows that two variables are independent by each other. Assume that two Continuous Random Variables are follows: \(P = \left( {p_{1} , p_{2} , p_{3} , p_{4} , \ldots p_{D} } \right)\) and \(Q = \left( {q_{1} , q_{2} , q_{3} , q_{4} , \ldots q_{D} } \right)\) where D is the sum of samples. MI is computed between \(P\) and \(Q\) are following.

$$MI \left( {P,Q} \right) = H\left( P \right) + H\left( Q \right) - H\left( {P,Q} \right)$$

(6)

where \(H\left( P \right),\,and\,H\left( Q \right)\) represents information entropies of P and Q

In MI, joint Probability Mass Function \(\rho \left( {p,q} \right)\) and Marginal Probabilities \(\rho \left( p \right)\) and \(\rho \left( q \right)\) for two discrete variables are computed using following.

$$MI \left({P;Q} \right) = \mathop \sum \limits_{p \in P} \mathop \sum \limits_{q \epsilon Q} \rho \left({p,q} \right)log\frac{{\rho \left({p,q} \right)}}{\rho \left(p \right)\rho \left(q \right)}$$

(7)

when we consider MI for features extraction and selection, we must maximize MI between random variables and select the subset of selected features \(x_{S}\) and out variable \(y\) and it is defined by following.

$$\tilde{S} = \arg \mathop {\hbox{max} }\limits_{S} MI \left( {x_{S} ,y} \right)\quad {\text{subject to}}\quad \left| S \right| = k$$

where \(k\) represents the sum of features for optimization.

In order to deal with optimization problem, we considered greedy solution. Here subsets of features are selected in incremented way. i.e. one feature at a time.

4.5 Classification Unit

Classification plays very important role to find the intrusion in the network traffic. Determination of accuracy and detection performance of intrusion detection is mainly based on the selection of best classifier algorithm and the goal of the classifier algorithm is to construct a concise and precise model that can be used to predict the intrusion from the real-time network traffic. In this paper we presented a dynamic and hybrid model for packets classification. A hybrid model is the combination of two algorithms BOAT and Neural Network.

BOAT classifier is identified to detect the misuse attacks in MANET. It can be adapted to the unique characteristics of MANET and also solve the energy-constrained issues because BOAT can use only two scans to build several levels of the tree over the huge training dataset, resulting in an average performance of three times better than the existing classification algorithms. BOAT also has ability to update the decision tree with respect to the dynamic insertion or deletion of the node from the network topology to solve one more important issue in MANET i.e. dynamic topology or mobility. BOAT does not require any storage to write the temporary data and needs low run-time resources. A traditional process for BOAT can be seen in Fig. 4.

Fig. 4

Decision making process of BOAT classifier

In classification unit, BOAT is used for classification and neural network is used to train the dataset for classification into normal, and attack packets (DoS, Probe, U2R, and R2L). Firstly neural network is applied to weight the subset of features in previous unit i.e. feature extraction unit. The BOAT classifier is extracted in trained NN. Most suitable BOAT classifier is used to construct the decision tree using trained neural network. In Fig. 4, the BOAT verifies the real-time network packets with each and every decision splitting criterion whether the network packet is authorized or intrusion type. If any network packet is matched with splitting decision criterion, it will be considered as an intrusion. The algorithm immediately stops the verification process and informs the intrusion name, type with its severity to respective authority to take proper decision. If match is not found until the last best splitting criterion N, the network packets are passed to anomaly detector for further verification.

4.5.1 ART Based Classification

Decision tree rules are again modeled using ART for further classification. Association rules are generated and accepted for next iteration. In historical table, we keep the simulated packets data of nodes in past and future behavior data. Figure 5 shows the classification workflow.

Fig. 5

Hybrid algorithm workflow

The following features are keeps stored in historical table

1. 1.

   Num. of packets sent or total num. of communications

2. 2.

   Num. of packets delivered successfully within time interval

3. 3.

   Num. of dropped packets rate

4. 4.

   Average throughput

5. 5.

   Packet transmission rate

6. 6.

   Hop count

7. 7.

   Num. of mis-transmitted packets

8. 8.

   Trust values

9. 9.

   With the information of packet features listed above, we classify the attack is frequent or rare.

4.6 Intrusion Prevention

Several real-time applications related to MANET security are video streaming, file transfer, etc. Intrusion prevention is important to restrict the access for malicious nodes arrived in the network [39, 40]. For intrusion prevention, we proposed One-Way Hash Chain Function. It can be used in many network security applications and also good for authentication by generate hash values. Intruders can generate fake or spoofed identities from legitimate nodes for the intention to disrupt the IDS or try to make communication between legitimate nodes to gain data packets. It could be direct when mobile nodes use Asymmetric Cryptography algorithm or Digital Signatures for authentication, but it protects packets from being tampered by attackers. Due to large computation overhead and computations required to generate public key, in this paper we proposed one-way hash function. However asymmetric algorithm does not suitable for resource constrained devices similarly does not supported in distributed computing environment. Likewise, Symmetric algorithms execute 3 to 4 orders of magnitude (faster) than Asymmetric Cryptography technique. Currently authors have used this one-way hash chains to safeguard network against malicious attacks (DoS, and resource consumption). Both are frequent attacks in MANET. Working of hash function is illustrated in following.

A One-Way Hash Function has been build using Hash Function (h), which mapping with a variable length input to a fixed length string by:

$$h:\left( {0,1} \right)^{*} \to \left( {0,1} \right)^{\alpha }$$

(8)

where \(\alpha\) is the output length hash function (in bits) e.g. SHA-1 and MD-5. Most important properties of hash function \(h\) is follows:

• \(h\) is taken as an input function at any packet size (output is stable size)

• It will be very simple to calculate hash function \(h\) for input O

• It use One-Way Hash property for making \(h\left( O \right)\)

• \(h\left( O \right)\) always has Collision-Free property since it does not gives any identical outcome for 2 or more inputs.

For applying one-way hash function, a mobile node chooses random variable \(r \in \left( {0,1} \right)^{\alpha }\) and calculates list of values using \(r\)\((\hbox{H}_{0}, \hbox{H}_{1}, \hbox{H}_{2}, \hbox{H}_{3}, \ldots \hbox{H}_{n},)\) where \({\text{H}}_{0} = r\) and \({\text{H}}_{i} = h({\text{H}}_{i - 1} )\) for \(0 < i \le n\). For hashing, we used SHA-256. Therefore hash function for node \(i\) is computed by following.

$$h_{i} = \left\langle {B, U - ID, LA, LO} \right\rangle$$

(9)

where \(h_{i}\) is the hash function for authenticating node \(i\) to the TA, \(B\) is the biometric (finger vein), User Identifier (U-ID), and Latitude (LA) and Longitude (LO). Finger vein is one of the unique biometric considered for authentication purpose. We extract features from user finger vein and processed for hash generation.

5 Experimental Results

In this section, we studied about experiments conducted in the proposed scheme to evaluate the performance. We used NSL-KDD dataset for testing the performance. Then we presented the definition of each evaluation metrics. Finally we compared the performance of the proposed scheme with other well-known previous works.

5.1 Experiment Settings

Our proposed scheme is implemented in NS3 simulation environment running over Ubuntu OS. Zhang [41] and Feng et al. [36] have tested NSL-KDD dataset in MANET using NS3 (3.26 version).

In this paper we consider similar simulation environment for testing dataset with various security attacks. Initially, we deploy 50 mobile nodes randomly in 1000 m*1000 m simulation area. Simulation parameters used in this paper is illustrated in Table 2. Figure 6 shows the simulation environment for mobile nodes deployed in certain region. Figure 7 a shows the result for intrusion prevention in trusted authority using one-way hash function, and Fig. 7b shows the mobile nodes connection. Figure 8 illustrates the data transmission between mobile nodes and finally Fig. 9 shows the tested dataset i.e. NSL-KDD dataset considered while simulation (KDDTest.arff and KDDTrain.arff files) (Table 3).

Table 2 Simulation parameters in NS3 environment

Fig. 6

Simulation environment for MANET

Fig. 7

a Intrusion prevention result and b nodes connection

Fig. 8

Data transmission among nodes

Fig. 9

NSL-KDD dataset

Table 3 Neural network parameter set

5.1.1 NSL-KDD Dataset Description

It is an extended version of dataset created for intrusion detection. It limits the problem of KDD Cup 99 dataset. The major limitation of KDD Cup 99 is redundancy and duplicate copies of information i.e. 78% for training and 75% for testing set. Other limitation is non-uniform distribution for target classes, which cause poor results in classification. We tested all features for dataset to classify attacks. There are four classes of attacks are presented in NSL-KDD Dataset as follows:

• Denial of Service (DoS) This type of attacker invokes several operations such as targeting memory resources, or restricts authorized users access. E.g. Syn Flood

• Remote to Local (R2L) This type of attacker can able to forward packets to adjacent legitimate nodes without the knowledge of the particular node. E.g. remote buffer overflow and guessing password attacks.

• User to Root (U2R) This type of attackers has permission to use legitimate nodes and then they exploit certain threats to get access for super user. E.g. local buffer overflow attacks.

• Probing This type of attacker collect data of the entire network to make several security threats. E.g. port scanning attack.

The list of features for NSL-KDD dataset according to its type (continuous and discrete) is illustrated in Table 4.

Table 4 NSL-KDD dataset description

Among 41 features set, 38 features are numeric and 3 features are non-numeric (protocol type, service type and flag). In addition, 1–10 features are basic features, 11–22 are content features and 23–41 are traffic features and 1 class label for each entry, illustrated in Table 4. Each entry in dataset in consists of 41 packet features and the details of attacks and total number of attacks for each class is listed in Table 5. Table 6 consists of attack types for four classes of 41 features are illustrated. In our testing set, we comprised of particular attack types that disappear in the training set, which intend to perform more theoretical and realistic simulation for intrusion detection.

Table 5 Total number of attacks

Table 6 Type of attacks for attack classes

5.2 Evaluation Measures

In this section we present the evaluation measures of the proposed model. The following performance metrics are considered for evaluation.

1. (a)

   Accuracy It is one of important performance metric for evaluating intrusion detection system. It is defined as the sum of packets classified correctly than total number of packets sent. It is written by:

   $$Accuracy = \frac{TP + TN}{TP + FP + FN + TN}$$

   (10)

   where TP is the true positive, TN is the true negative, FP is the false positive and FN is the false negative.

2. (b)

   Attack Detection Rate It is computed by the rate of TP, which is defined the sum of packets classified correctly as anomaly than total number of packets sent.

   $$ADR = \frac{\# of\,detected\,attacks}{\# of\,attacks} \times 100\%$$

   (11)

   (or)

   $$ADR = TPR = \frac{TP}{TP + FN}$$

   (12)
3. (c)

   False Positive Rate It is calculated by the sum of packets classified wrongly as anomaly than total number of packets sent.

   $$FPR = \frac{\# of\,misclassified\,processes}{\# of\,normal\,processes} \times 100\%$$

   (13)
4. (d)

   Detection Delay It is the sum of time for detecting attack in packets from the starting to the ending time.

   $$DD = AD_{ST} - AD_{ET}$$

   (14)

   In following we discuss about QoS metrics in MANET since QoS is one of the emerging issues in MANET, which must be addressed in intrusion detection.

5. (e)

   Packet Delivery Ratio It is defined as the ratio of packets delivered to the destination successfully in network to the total number of packets sent from the source node.

   $$PDR = \frac{Num. of\,packets\,delivered\,sucessfully}{Num.of\,packets\,sent} \times 100$$

   (15)
6. (f)

   Throughput In MANET, packets delivered through certain physical/logical links. Packets forward through a certain adjacent nodes. It is estimated in bits per second (bit/s or bps) or can be measured as data packets per second or per time slot.

   $$Throughput = \mathop \sum \limits_{i = 1}^{n} NPR/ \mathop \sum \limits_{i = 1}^{n} NPS \times Num\_H$$

   (16)

   where \(NPR\) is the number of packets received, \(NPS\) is the number of packets sent, and \(Num\_H\) is the number of hops.

7. (g)

   Energy Consumption It is the necessary metric to deliver one packet on each iterations. Energy consumption (EC) in each node is given as follows.

   $$EC = E_{Adv} + E_{Dis} + E_{Syn} + E_{Res}$$

   (17)

   where \(E_{Adv}\) is the energy consumption rate for advertising packets, \(E_{Dis}\) is the energy consumption rate for discovering packets, \(E_{Syn}\) is the energy consumption rate for synchronizing packets, and \(E_{Res}\) is the energy consumption rate to respond the packets.

5.3 Comparative Study

In this current section, we present the comparison of our proposed SA-IDPS model with well-known previous works to show that our proposed model is efficient in terms of intrusion detection and QoS based metrics. Comparison made with the following four previous works: Elwahsh et al. [33], Vimala et al. [34], Kavitha et al. [35], and Feng et al. [36]

Table 7 shows theoretical comparison among previous works based on advantages and limitations. To overcome the limitations of previous works, in this paper we proposed a smart approach for intrusion detection and prevention. Table 8 shows the advantages of our proposed model

Table 7 Summary of the state-of-the-art approaches

Table 8 Advantages of the proposed model

5.3.1 Results and Discussion

In this section we discuss experiment results for the proposed model and previous works including, Elwahsh et al. [33], Vimala et al. [34], Kavitha et al. [35], and Feng et al. [36]. Plotting graphs for the comparison and investigation is following.

5.3.1.1 Effectiveness for Accuracy

Accuracy performance of the proposed intrusion detection and prevention model and the comparison with previous works is depicted in Fig. 10

Fig. 10

Results for accuracy

Figure 10 shows that comparison of accuracy with respect to number of attacks for the proposed model and four well-known previous works. From this graph, we can see that our proposed model have higher accuracy when compared to four previous works. These provide poor results when presence of intruders such as DoS, U2R, R2L, and probe. Preprocessing, feature extraction and classification are essential steps for intrusion detection and trust management in MANET can be improved and preserved the network from intrusions. Previous works are failed to propose effective algorithms for these steps. Experimental results demonstrate that our proposed smart approach model provides effective results on both frequent and rare attacks with the use of historical table management, efficacious preprocessing, feature extraction and classification steps. Hence, it can determine any kind of security attack in MANET and to conclude our proposed SA-IDP model is secured and protected from intruders than previous works.

5.3.1.2 Effectiveness for ADR

In this paper, we proposed a new combination of algorithms for classifying packets in different aspects. We firstly classify packet into normal or attack. If the packet is attack, then we identify whether attack is frequent or rare attack. Figure 11 indicates the performance of ADR with respect to number of attacks.

Fig. 11

Results for ADR

We compare our proposed model with previous works in MANET environment. ADR can be varied according to number of packets and number of nodes arrived in the network. Our proposed model reaches high detection rate for any type of class (normal/attack). The average ADR is 99.4%, which is relatively higher than the previous works, such as 97.5%, 94.52%, 98.36%, and 97.86% for Elwahsh et al. [33], Vimala et al. [34], Kavitha et al. [35], and Feng et al. [36], respectively. In this paper, we invoke trusted authority (one-way hash function) for intrusion prevention, which restricts the access of malicious nodes. It helps to improve ADR when presence attackers. In previous works, legitimate nodes can be easily compromised by intruders and get packets and have full of rights to access the system.

5.3.1.3 Effectiveness for FPR

In general, FPR is an outcome (event) is incorrectly found by the intrusion detection system as being an intrusion when none of the malicious activity has occurred. Therefore, objective of FPR should be minimizing these wrong identifications by assumptions. These incorrect predictions have occurred at many more in previous works. Hence optimum set of features must be taken into account for intrusion detection. Previous works are failed in this constraint. Experiment results for FPR represents that the proposed model leads to minimal FPR when compared to previous works. This is due to that proper optimization of features for classification using Mutual Information, where we can accurately get the optimum set of features for intrusion detection (Fig. 12).

Fig. 12

Results for FPR

5.3.1.4 Effectiveness for Detection Delay

Detection delay is important when designing intrusion detection since timely detection of attacks may prevent the network by any abnormal activities and loss. Our proposed model considers this criterion while developing intrusion detection and it is suitable for real-world applications.

Figure 13 indicates the performance comparison of detection delay for the proposed and previous works. Detection delay is a negative indicator, which must be less to show the system has achieved high performance. Graph clearly represents that the number of nodes increases then detection delay is also increase. In this graph, we show the performance of scalability achievement of our proposed model in MANET environment. The average detection delay for the proposed model is 0.09 s and the previous work has taken 0.118 s, 0.3 s, 0.2 s, and 0.54 s for Elwahsh et al. [33], Vimala et al. [34], Kavitha et al. [35], and Feng et al. [36], respectively.

Fig. 13

Results for detection delay

5.3.1.5 Effectiveness for PDR

PDR is most significant metric for improving QoS in MANET environment. In this paper we focus on this metric for intrusion detection. When select most trusted one in network, we can achieve high PDR. Hence in this paper we consider historical table to store nodes behavior, which is updated on the basis of time interval. The graphical representation for PDR with respect to number of nodes is depicted in Fig. 14. Typically, when number of nodes increases, the PDR is gradually decrease. The graphical results illustrate that our proposed model is decrease in minimum level i.e. 100–90% only. When we perform simulation for previous work, Feng et al. [36] only have obtained better PDR than others because they deployed packet capturing tool named as plug and play device, which improves number of packets transmission to destination node. Our proposed model obtained the average PDR of 96% for 50 nodes, which is higher than previous works.

Fig. 14

Results for PDR

5.3.1.6 Effectiveness for Throughput

It is defined as the successful packets transmission rate than previous works. It is a positive indicator so it must be higher to show the system has obtained better performance. Figure 15 shows the result for throughput with respect to number of nodes.

Fig. 15

Results for throughput

In previous work [36] authors proposed DNN for DDoS attack detection which result higher throughput, which is the first better existing work, compared to our proposed model. We combine DNN with BOAT and ART algorithms for effective classification. In other previous works, throughput decreases and does not suitable for intrusion detection under large scale network environment. Experiment results shown that the proposed model has obtained the average of throughput in 220kbps which is higher than previous works.

5.3.1.7 Effectiveness of EC

Consideration of energy to acquire better QoS in intrusion detection is the significant part of this paper, because mobile devices are resource constrained recently. We reduce the rate of energy consumption by proposing novel and hybrid algorithm. We demonstrate the result for EC for the proposed model and previous works in Fig. 16. From the experiment results, it is clear that the proposed model has required minimum amount of energy to perform intrusion detection operation. In this paper we proposed one-way hash function for authenticating users to trusted authority. Intrusion detection engine is faster to reply for a node regarding the current received packet is normal or attack. For this we proposed normalization, feature extraction, packet analyzer and effective classification operation.

Fig. 16

Results for EC

The average rate of EC for the proposed model is 50joules which is minimum than previous works.

Table 9 illustrates the average comparison for the proposed model and previous works in terms of accuracy, ADR, DD, FPR, PDR, throughput and EC. Finally the experimental results are shown that our proposed model is more efficient and accurate on both intrusion detection and prevention in MANET.

Table 9 Numerical comparison results (average)

6 Conclusion and Future Work

Security in MANET concerns open-up space for researchers to extend their research from traditional to new schemes. When compared to traditional approaches, security in MANET brings some other research issues for IDPS. Hence we focused on previous MANET IDPS and determined research gaps include poor scalability, inadequate QoS, access control for unauthorized access, and avoid legitimate nodes compromise, etc. In this paper, we presented a new approach called as SA-IDPS in MANET. SA-IDPS mobile nodes are deployed in specific region. We registered each mobile node to TA by biometric, U-ID, and latitude and longitude. One way hash chain is applied here and hence intrusions are prevented. In intrusion detection, packet analyzer has helped to determine whether intrusions are occurred. It will be operated using T2FC and packet header information. Data normalization and encoding processes are held in preprocessing unit. In feature extraction unit, optimum set of features are extracted and gathered for next step i.e. classification. BOAT with ANN is helped us to improve attack detection rate and minimal false alarm rate. If classified packet is identified as attack packet, it is further classified into frequent attack or rare attack, which is implemented using ART. Experimental results has proved that the proposed SA-IDPS meets the security required in MANET and mitigate four different attacks such as DoS, Probe, U2R, and R2L. In future we have planned to work on other new security attacks in MANET and also tested for large size of real world dataset.