Method and Apparatus for Detection of Malicious Behavior in Mobile Ad-Hoc Networks

US 20090049546A1
Filed: 08/17/2007
Published: 02/19/2009
Est. Priority Date: 08/17/2007
Status: Active Grant

First Claim

Patent Images

1. A method to detect malicious behavior in a mobile ad-hoc network, the method comprising:

establishing a decoy instance of actual node operating software on an actual node in a mobile ad-hoc network; and

monitoring communications involving the decoy instance to identify malicious behavior within the mobile ad-hoc network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are provided for detecting malicious behavior in mobile ad-hoc wireless networks. The mobile ad-hoc network contains a plurality of actual nodes and a plurality of decoys that are derived from the actual nodes using duplicate instances of the operational software of the actual nodes in combination with a virtual interconnection topology created to make the decoys appear as actual nodes within the mobile ad-hoc network. The interconnection topology includes routing characteristics indicating that the most efficient path of communication to any given decoy is through at least one actual node in the network. The decoys are used to identify malicious behavior in the network and in particular to identify attempt to communicate directly with decoys in contradiction to the created interconnection topology. When the malicious behavior is associated with an identifiable node, corrective action is taken that includes quarantining that node from the other nodes in the network.

24 Citations

View as Search Results

20 Claims

1. A method to detect malicious behavior in a mobile ad-hoc network, the method comprising:
- establishing a decoy instance of actual node operating software on an actual node in a mobile ad-hoc network; and
  
  monitoring communications involving the decoy instance to identify malicious behavior within the mobile ad-hoc network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein the step of establishing the decoy instance of the operating software further comprises establishing a plurality of decoy instances of the actual node operating software on the actual node.
  - 3. The method of claim 1, wherein the step of establishing the decoy instance further comprises using a hypervisor disposed on the actual node to establish the decoy instance of the operating software.
  - 4. The method of claim 2, further comprising creating a virtual interconnection topology comprising the plurality of decoy instances in the mobile ad-hoc network.
  - 5. The method of claim 4, wherein the step of creating the virtual interconnection topology further comprises creating an appearance of relative motion between two decoy nodes comprising two decoy instances in the plurality of decoy instances.
  - 6. The method of claim 4, wherein the step of creating the virtual interconnection topology further comprises modifying characteristics of the virtual interconnection topology.
  - 7. The method of claim 1, wherein the step of establishing the decoy instance further comprises establishing a communication routing scheme among an external node and the decoy instance in the mobile ad-hoc network such that the most efficient path for the external node to communicate with the decoy passes through a real system instance of the node operating software on the actual node on which the decoy instance is established.
  - 8. The method of claim 1, wherein the step of monitoring communications involving the established decoy instance to identify malicious activity further comprises identifying attempts to communicate with the decoy instance in violation of an established communication routing scheme.
  - 9. The method of claim 1, wherein the step of monitoring communications involving the established decoy to identify malicious behavior further comprises identifying a malicious node within the mobile ad-hoc network that is associated with the malicious behavior.
  - 10. The method of claim 9, further comprising quarantining the identified malicious node, establishing access filters between the identified malicious node and other nodes in the mobile ad-hoc network, associating a reputation with the identified malicious node indicating that the malicious node is not a trusted node or combinations thereof.
  - 11. The method of claim 1, further comprising tracking access to the decoy instance when a new actual node is added to the mobile ad-hoc network.
  - 12. The method of claim 11, wherein the step of tracking access to the decoy instance when a new actual node is added further comprises:
    - communicating actual delay and loss characteristics to the new node for communications between the new node and a real system instance of the node operating software on an actual node in the mobile ad-hoc network; and
      
      communicating modified delay and loss characteristics to the new node for communications between the new node and the decoy instance, the modified delay and loss characteristics comprising an added amount of delay and loss such that the modified delay and loss characteristics exceeds the actual delay and loss characteristics for communications between the new node and the real system instance on the actual node.

13. A method to detect malicious behavior in a mobile ad-hoc network, the method comprising:
- establishing a plurality of decoy instances of the actual node operating software on one of a plurality of actual nodes in a mobile ad-hoc network;
  
  creating a virtual interconnection topology among the plurality of decoy instance and the plurality of actual nodes in the mobile ad-hoc network; and
  
  using the established decoy instances and the virtual interconnection topology to identify malicious behavior within the mobile ad-hoc network.
- View Dependent Claims (14)
- - 14. The method of claim 13, wherein the virtual interconnection topology comprises communication links to one or more of the decoy instances such that the communication links comprise at least one of a plurality of real system instances on actual nodes, a plurality of decoy instances or at least one real system instance on an actual node and at least one decoy instance.

15. A node in a mobile ad-hoc network comprising:
- at least one real system instance of the operating software for the node;
  
  at least one decoy instance of the operating software;
  
  a topology manager to manage connectivity among external nodes and the decoy instance; and
  
  an access tracker to monitor malicious behavior in the mobile ad-hoc network containing the node.
- View Dependent Claims (16, 17)
- - 16. The node of claim 15, further comprising a plurality of decoy instances of the operating software.
  - 17. The node of claim 16, further comprising a virtual interconnection topology among the decoy instances and the real system instance of the operating software.

18. A computer-readable medium containing a computer-readable code that when read by a computer causes the computer to perform a method to detect malicious behavior in a mobile ad-hoc network, the method comprising:
- establishing a decoy instance of actual node operating software on an actual node in a mobile ad-hoc network; and
  
  monitoring communications involving the decoy instance to identify malicious behavior within the mobile ad-hoc network.
- View Dependent Claims (19, 20)
- - 19. The computer-readable medium of claim 18, whereinthe step of establishing the decoy instance of the operating software further comprises establishing a plurality of decoy instance of the actual node operating software on the actual node.
  - 20. The computer-readable medium of claim 19, wherein the method further comprises creating a virtual interconnection topology comprising the plurality of decoy instances in the mobile ad-hoc network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Verma, Dinesh

Granted Patent

US 8,122,505 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

H04L 41/12   Discovery or management of ...

H04L 41/122   of virtualised topologies, ...

H04L 43/0817   by checking functioning

H04L 63/1458   Denial of Service

H04L 63/1491   using deception as counterm...

H04W 12/122   Counter-measures against at...

H04W 12/126   Anti-theft arrangements, e....

H04W 40/246   Connectivity information di...

H04W 84/18   Self-organising networks, e...

Method and Apparatus for Detection of Malicious Behavior in Mobile Ad-Hoc Networks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

24 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method and Apparatus for Detection of Malicious Behavior in Mobile Ad-Hoc Networks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

24 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links