A distributed intrusion detection system for resource-constrained devices in ad-hoc networks

This paper describes the design and implementation of a two-stage intrusion detection system (IDS) for use with mobile ad-hoc networks. Our anomaly-based intrusion detection is provided by analyzing the context from the application-level interactions of networked nodes; each interaction corresponds to a specific function or behavior within the operational scenario of the network. A static set of behaviors is determined offline, and these behaviors are tracked dynamically during the operation of the network. During the first stage of the IDS, our detection strategy employs the analysis of global and local maxima in the probability density functions of the behaviors to isolate deviance at the granularity of a single node. This stage is used to capture the typical behavior of the network. The first stage also provides tuning and calibration for the second stage. During the second stage, a cross-correlative component is used to detect multiple threats simultaneously. Our approach distributes the IDS among all connected network nodes, allowing each node to identify potential threats individually. The combined result can detect deviant nodes in a scalable manner and can operate in the presence of a density of deviant nodes approaching 22%. Computational requirements are reduced to adapt optimally to embedded devices on an ad-hoc network.