Intrusion Detection in Mobile Ad Hoc Networks Using Classification Algorithms

In this paper we present the design and evaluation of intrusion detection models for MANETs using supervised classification algorithms. Specifically, we evaluate the performance of the MultiLayer Perceptron (MLP), the Linear classifier, the Gaussian Mixture Model (GMM), the Naive Bayes classifier and the Support Vector Machine (SVM). The performance of the classification algorithms is evaluated under different traffic conditions and mobility patterns for the Black Hole, Forging, Packet Dropping, and Flooding attacks. The results indicate that Support Vector Machines exhibit high accuracy for almost all simulated attacks and that Packet Dropping is the hardest attack to detect.

💡 Research Summary

This paper investigates the use of supervised classification algorithms for intrusion detection in Mobile Ad‑Hoc Networks (MANETs). The authors evaluate five well‑known classifiers—Multi‑Layer Perceptron (MLP), a simple Linear classifier, Gaussian Mixture Model (GMM), Naïve Bayes, and Support Vector Machine (SVM)—under a comprehensive set of experimental conditions. The study focuses on four representative attacks that target the AODV routing protocol: Black Hole, Forging, Packet Dropping, and Flooding.

Methodology
The authors first define a set of eight network‑layer features that can be extracted locally at each node: numbers of RREQ and RREP packets sent/received, numbers of RERR packets sent/received, the count of one‑hop neighbors, the percentage of routing‑table changes (PCR), and the percentage of hop‑count changes (PCH). These features capture both traffic volume and routing dynamics, providing a clear statistical contrast between normal operation and malicious behavior.

A simulation environment built on the GloMoSim library models a 50‑node MANET deployed over an 850 × 850 m² area. Nodes use the AODV routing protocol, move according to a random‑way‑point model with speeds ranging from 0 to 20 m/s, and generate Constant Bit Rate (CBR) traffic. The simulation runs for 700 seconds, with pause times varied (0, 200, 400, 700 s) to emulate different mobility levels. Attack scenarios are injected by having a configurable number of malicious nodes (5, 15, or 25) launch the four attack types.

The classifiers are trained on labeled data collected during a pre‑training phase. Hyper‑parameters for each algorithm (e.g., learning rate and hidden‑layer size for MLP, C and σ for SVM, number of mixture components for GMM) are tuned using a uniform cross‑validation procedure, ensuring a fair comparison. Performance is measured by Detection Rate (DR) and False Alarm (FA) ratio, both computed over independent test sets. The authors also explore the impact of the sampling interval (the period over which statistical features are computed) by testing 5, 10, 15, and 30 second windows.

Results
Across almost all configurations, the SVM with a Gaussian (RBF) kernel achieves the highest detection rates—often exceeding 90 %—while maintaining low false‑alarm rates (typically below 5 %). Its ability to construct non‑linear decision boundaries makes it especially effective against attacks that produce subtle but systematic routing anomalies, such as Black Hole and Flooding.

MLP performs competitively when sufficient training data are available and when hyper‑parameters are carefully chosen, but it is more sensitive to over‑fitting, especially with short sampling intervals. The Linear classifier, while computationally cheap, suffers from low DR (often under 70 %) because many attack patterns are inherently non‑linear. GMM, using diagonal covariance matrices, provides a probabilistic view of class densities; however, its DR hovers around 80 % and degrades as dimensionality grows. Naïve Bayes, relying on the strong independence assumption, yields the poorest results (DR ≈ 65 %, higher FA).

The most challenging attack to detect is Packet Dropping. This attack manipulates routing error messages without dramatically altering traffic volume, leading to feature distributions that overlap heavily with normal behavior. Consequently, all classifiers exhibit reduced DR for this scenario, with SVM still outperforming the others but only achieving ~78 % detection.

Sampling interval analysis reveals a trade‑off: a 5‑second window enables the quickest reaction but introduces higher variance in feature estimates, slightly raising FA. A 30‑second window smooths the statistics, reducing FA but delaying detection by up to half a minute. The authors recommend a 10–15 second interval as a practical compromise for most MANET deployments.

Increasing the number of malicious nodes generally improves DR because the attacks become more pronounced in the aggregated statistics. However, excessive malicious density can cause network congestion, marginally increasing FA. Mobility (as varied by pause time) has a modest effect; higher mobility leads to more frequent routing updates, which can slightly obscure attack signatures but does not dramatically alter overall performance.

Conclusions and Implications
The study demonstrates that, when equipped with appropriate routing‑layer features and a systematic hyper‑parameter tuning process, supervised classifiers can effectively serve as the detection engine of a distributed MANET IDS. Among the evaluated methods, SVM stands out as the most robust across diverse attack types, traffic conditions, and mobility patterns. The findings also highlight the importance of selecting an appropriate sampling interval and of understanding attack‑specific feature signatures.

Future work suggested by the authors includes: (1) implementing the classifiers on resource‑constrained mobile devices to assess computational and energy overhead, (2) exploring online or incremental learning techniques to adapt to evolving attack patterns, and (3) extending the feature set to incorporate cross‑layer information (e.g., MAC‑layer contention metrics) for even finer discrimination.

Overall, the paper provides a thorough, reproducible benchmark for MANET intrusion detection and offers clear guidance for practitioners seeking to deploy machine‑learning‑based IDS in highly dynamic wireless environments.