An Analysis of Monitoring Based Intrusion Detection for Ad Hoc Networks
Several intrusion detection techniques proposed for mobile ad hoc networks rely on each node passively monitoring the data forwarding by its next hop. This paper presents quantitative evaluations of false positives and their impact on monitoring based intrusion detection for ad hoc networks. Experimental results show that even for a simple 3-node configuration, an actual ad hoc network suffers from high false positives; these results are validated by a Markov model. However, this false positive problem cannot be observed by simulating the same network using popular ad hoc network simulators such as ns- 2, OPNET or Glomosim with default noise models.