Detecting critical nodes for MANET intrusion detection systems

Ad hoc routing protocols have been designed to efficiently reroute traffic when confronted with network congestion, faulty nodes, and dynamically changing topologies. The common design goal of reactive, proactive, and hybrid ad hoc routing protocols is to faithfully route packets from a source node to a destination node while maintaining a satisfactory level of service in a resource-constrained environment. Detecting malicious nodes in an open ad hoc network in which participating nodes have no previous security associations presents a number of challenges not faced by traditional wired networks. Traffic monitoring in wired networks is usually performed at switches, routers and gateways, but an ad hoc network does not have these types of network elements where the intrusion detection system (IDS) can collect and analyze audit data for the entire network. A number of neighbor-monitoring, trust-building, and cluster-based voting schemes have been proposed in the research to enable the detection and reporting of malicious activity in ad hoc networks. The resources consumed by ad hoc network member nodes to monitor, detect, report, and diagnose malicious activity, however, may be greater than simply rerouting packets through a different available path. This paper presents a method for determining conditions under which critical nodes should be monitored, describes the details of a critical node test implementation, presents experimental results, and offers a new approach for conserving the limited resources of an ad hoc network IDS.