Application of Forensic Analysis for Intrusion Detection against DDoS Attacks in Mobile Ad Hoc Networks

This paper addresses a specific approach to resolving the problem of intrusion detection against distributed denial of service (DDoS) attacks in mobile ad hoc networks (MANET). The main function of an intrusion detection system (IDS) is to inspect the network for malicious activities, policy violations and security loopholes integrity, and to generate the appropriate reports. Network forensics concerns examining a network for anomalous traffic and identifying intrusions. It is very useful in decreasing probability of reoccurrence of the same intrusion activities. In the first part of the paper, we provide a comprehensive overview of recent advances in network forensics in MANET environment. In the second part of the paper, we propose a model of IDS that uses network forensics to detect DDoS attacks in MANET. The forensic analysis relies on inspecting simultaneous malicious activities of a group of attackers (zombies). Since DDoS attack traffic can appear rather alike to legitimate traffic in the sense of bit rate and packet size, the applied method should minimize the risk of misinterpreting legitimate traffic as attack traffic (false positives). We propose a flexible IDS model and the associated forensic analysis algorithm based on log file inspection. The performance analysis encompasses 100nodes network with Manhattan Grid (MG) mobility model, and different numbers of malicious nodes. The study has been carried out by the network simulator ns-2 and its associated tools for mobility scenario generation, network animation and trace files analysis. Key-Words: Mobile ad hoc network, intrusion detection system, denial of service, network forensics, network simulation