Novel Intrusion Detection and Prevention for Mobile Ad Hoc Networks


Novel techniques to counter a set of active attacks, such as denial – of – service (DoS), probe, vampire, and user – to – root (U2R) attacks, in a mobile ad hoc network (MANET) environment for a single and multiattack scenario is presented. It aims at overcoming the limitations and weaknesses of the existing IDSs. The proposed IDS incorporate a novel random walk-based IDS architecture as well as a multilayer, specification-based detection engine.  Attacks are detected using a profile (behaviour) analysis for single attacks and a distributed trust for multiattacks. A standard ad hoc on – demand distance vector (AODV) routing protocol has been used in a Network Simulator 2 (NS2) environment. We report a maximum accuracy of 87.75% for a single attack and 90.95% for a multiattack scenario. The proposed solution does not belong to any of the existing intrusion detection approaches, since it relies on a set of robust, self-contained Random Walk Detectors (RWDs), which may freely move from node to node and randomly traverse a network, while monitoring each visiting node for malicious behaviour. RWDs exhibit a number of benefits including locality, simplicity, low overhead, and robustness to changes in topology. Moreover, the multi-layer, specification-based engine monitors the transport, network and data link layers of the protocol stack, providing an integrated solution capable of detecting the majority of security attacks occurring in MANETs.


The IDS does not require the use of comprehensive detection engines at each network node, like the cooperative architectures, or any static structure like the hierarchical architectures. It consists of several robust RWDs that randomly traverse a network, while monitoring each visiting node for malicious behaviour. The number of RWDs on the network is scalable, in order to cope with changes in the network topology and thus RWDs may replicate or merge. A Random Walker (RW) is a stochastic process, which represents a path of random successive steps. RWs can be applied to graphs, in which a RW process begins at a node on a graph and takes random successive steps to adjacent nodes. Thus, a RW can be seen as a method to randomly explore a graph. RWs provide a wide range of applications in computer science, physics, statistics, economics, and several other fields. In communication networks, RWs algorithms exhibit simplicity, low overhead, reliance only on local information, robustness to changes in a graph structure, and thus applications based on them are becoming more and more popular. The two key advantages of RWs are: (i) they are inherently robust and scalable to network topology changes, since they do not require knowledge or state maintenance for the network structure; and (ii) they produce little overhead. For these reasons, they are particularly suitable in MANETs, where: (i) the network topology changes over time, since nodes move around the network bounds or join and leave dynamically without centralized control; and (ii) node resources are typically sparse. Therefore, the advantages of RWs can be used to address the previously mentioned limitations of the existing IDS architectures for MANETs. Currently, RWs find a plethora of applications in the context of MANETs, such as querying, service discovery, routing, service advertisement, searching, sampling, etc. However, to the best of our knowledge, they have not been proposed to support intrusion detection for MANETs(ieee java project).

The proposed RWD is divided into five parts:

i.The migration module that is responsible for the migration process of the RWD to a neighbouring node;

ii.The specification-based detection engine that includes the detection functionality of each RWD;

iii.The replication module that enables the RWD to be replicated;

iv.The response module that is responsible for notifying other nodes regarding malicious behaviours detected and for taking the required defensive action against them; and

v.The docking service module (which is executed in every network node) that monitors for incoming RWDs and is responsible for accepting and establishing a secure connection during the migration process.

 The replication, response, and docking modules are pre – installed in every node and utilized when a RWD visits that specific node. This approach alleviates the need for transmitting the full functionality of the IDS, thus reducing the communication overhead of the proposed architecture. On the other hand, the migration and detection modules are transferred during the RWD migration. This is because the first performs the migration process, while the second protects this process from attacks and verifies that the preinstalled modules have not been tampered. Subsequently, the functionality of each module of the proposed IDS is presented and analyzed(ieee 2019 java project).

The proposed detection engine performs detections using a set of specifications, which describe the normal node’s operations at different layers, providing an aggregated solution. It monitors the most important protocols that provide end – to – end connectivity, routing, packet forwarding, and link layer connectivity. In order to present the proposed engine, we use a Finite State Machine (FSM). Each state of the FSM corresponds to either a legitimate or malicious behaviour of the monitored node. A transition from one state to another is triggered by the node’s operations/actions. Specifications are defined as a tuple (S, NO, S0, δ, F) where S is the set of all possible states; NO is the set of node operations; S0 is the initial state; δ is a function that maps node operations from a previous state to the current state; and F is the set of final states that correspond to malicious behaviours. The proposed multi-layer specification-based engine is a set of FSMs designed to monitor the correct operation of critical protocols at the transport, network, and data – link layers.


The system does not create points of failure, since detection responsibilities are not concentrated to a specific node or a fixed set of nodes. A possible attack against one or more RWDs does not hinder the detection process in a network, since other RWDs traverse it. It is not vulnerable to man-in-the-middle and blackmails attacks, since RWDs do not exchange audit data and the migration process of a RWD is protected through the use of an encrypted communication channel. Finally, since the detection tasks of a node are not assigned to other nodes, the proposed IDS do not enable malicious nodes to accuse legitimate nodes for malicious behaviour. Finally, it is not prone to high rates of false alarms.


Single Attack Detection

The proposed system detects the four attacks in MANETs. The detection engine analyzes the behaviour of all the network layers because the probe is found in the transport layer, the DoS in the data link layer, the vampire in the physical layer, and the U2R in the network layer. The detection engine stores the normal profile of each layer and compares it with the data received. If an abnormality is found in any of the layers, then an in-depth check of their behaviour is conducted to detect a particular attack. Two columns are created by the detection engine, the standard column and the anomalous column. The standard column details normal data profiles, defined as Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and AODV formats, and the anomalous column contains unusual behaviours(java projects chenna).

 Behaviour Table

If the abnormality matches with the characteristics of a particular attack, detection of the attack is considered successful. In the NS2, packet formats for the TCP and UDP are fixed internally. That is, they are specified in the header part of the data packet. In case of a tampered packet, the header part will be missing or will not match with the standard TCP, UDP, and AODV formats specified by the engine. We have created separate simulation environments for the detection of each type of attack. The grouping of UDP, TCP, and AODV protocols has been made, as communication in a network is possible with transport, communication, and application layers.


For a 50-node setup, the packet delivery is approximately 50% under attack. The percentage is enhanced after applying the proposed scheme, and the packet delivery reaches up to 90%. Multiple attackers (DoS, probe, vampire, U2R) consume more energy because of flooding and degrade the network performance. The proposed prevention scheme reduces the overall energy consumption of the network. The results in terms of packet delivery and accuracy are promising.


This project has following modules:

1.Source Node: Data is sent from the source node to the network.


3.Detection Engine: Once the data are passed into a network, they are examined by the detection engine for their profile (behaviour) analysis to identify the type of attack.

4.Profile Analysis: An algorithm to detect intrusion detection is proposed using profile (behaviour) based analysis. The proposed scheme detects probe, DoS, vampire, and U2R attacks. The average hop count and end-to-end delay are studied.

Reach us @1Crore Projects,

No. 68 & 70, Ground Floor, Raahat Plaza,  Vadaapalani, Chennai- 600 026

Web - 

E-Mail -

HP - +91 97518 00789 / +91 77081 50152 | PH - +91 44 4203 2818




Leave a comment