A mobile ad-hoc network (MANET) is a communication network formed among a plurality of computer nodes that do not have a fixed location and are movable. These computer nodes can be located on moving vehicles, e.g. buses, trucks, tanks, or airplanes, or can be small devices that are carried by civilians, soldiers or animals. A MANET is formed without any hierarchy for central control and coordination and is intended to facilitate communication among the nodes contained in the MANET. These nodes do not necessarily have any other infrastructure support. For example, ten employees of a single company meet an airport, and the mobile devices carried by each employee, i.e., laptop computers, cellular phones and personal digital assistances, constitute the nodes in a MANET from among the ten employees. This MANET does not use the infrastructure provided to them by the airport, e.g., a broadcast WIFI system. A reason for not using the infrastructure could be security concerns or corporate requirements that employees do not use such public networks. Similarly, a convoy contains a plurality of vehicles moving in an isolated region, and each vehicle contains an on-board computer that is one of the nodes of a MANET that facilitates communication among the convoy vehicles. The MANET reforms itself as vehicles in the convoy shift their positions relative to each other.
Although a MANET provides important functions and is valuable in many cases, the MANET is more susceptible to security attacks and vulnerabilities. Because the nodes cannot rely on a fixed infrastructure, the presence of a corrupted or malicious node in the MANET can cause serious problems for the secure operation of the other nodes. Several attempts have been made to address the issue of secure operation of a MANET. The current state of the art in MANET security uses intrusion detection systems. These intrusion detection systems identify the statistical properties of the expected pattern of communication among the nodes in the MANET. The expected pattern of statistical properties can be described using a state transition model and intrusion detection is based on detecting statistical anomalies in expected behavior of the system. Statistical models that use a notion of normal behavior and detection of aberrant behavior can identify potentially malicious nodes. Some current MANET systems also associate concepts of trust and reputation with various nodes in the network. Therefore, improperly behaving nodes in the MANET receive a bad associated reputation and can be excluded from the network.
While statistical analysis is a reasonable approach to follow for detecting malicious behavior in a MANET, statistical analysis suffers from several limitations. Because a MANET is constantly reforming, a good baseline, which can define the usual operating pattern for any node, can be difficult to establish. Due to rapid changes in the state of the network, a large number of false positives can be generated where perfectly normal nodes may be characterized as being malicious. The problem with false positives is significant in wired networks with fixed topology using the same approach and becomes even more acute in a MANET. Therefore, better schemes are needed to identify malicious behavior in a MANET. These schemes would produce a significantly lower number of false positive than methods based on statistical analysis of usage patterns.