Real-time Detection of Distributed Zero-Day Attacks in Ad Hoc Networks

Current intrusion detection approaches rely upon previous exposure to an attack sequence before it can be accurately identified in subsequent exposures. Because of this, zero-day attacks, especially those that are distributed in ad hoc environments, are extremely difficult to detect accurately in real-time. Due to the potential for damage and exploitation that can be caused by zero-day attacks accurate and rapid detection is critical. This paper describes a lightweight self-organizing intrusion detection approach that is designed to detect distributed zero-day attacks in mobile ad hoc networks (MANET). Traditional methods of intrusion detection have limited effectiveness in a MANET and detection approaches designed for wireless networks are limited to the identification of previously identified and analyzed attacks or non-specific anomalous activity in the network data stream. The new approach uses a multi-stage modified fuzzy neural network architecture to detect both known and zero-day attacks against the MANET. The distributed detection process occurs in real-time and requires the exchange of far less data than in current distributed detection approaches. More importantly, it is the first approach that function within wireless ad hoc networks that is able to recognize new attacks before significant damage can occur to the protected network. This approach was validated experimentally in a controlled environment against several attack scenarios that were modified to preclude detection by existing rule-based and anomaly detection methods.