Intrusion Detection Techniques in MANETs and WSNs

1
Intrusion Detection Techniques in MANETs and WSNs

• IEEE Wireless Communications
• October 2007
• The university of alabama SGHaier Guizani
• ??? ???

2
MANET and WSN Constraint

• Resource constraint
• Memory
• Battery
• CPU power
• Network constraint
• Deployed in adverse or hostile environment
• Ad-hoc, wire-less, Radio jamming
• (Do not rely on a pre-existing network
  infrastructure)
• Management constraint
• Usually no centralized authority
• No base stations (Each nodes acts as router)

3
IDS-Intrusion Detect System

• IDS - dynamically monitors the system to detect
  compromise of confidentiality, availability and
  integrity.
• Two common types -
• misuse based - stores database of known attacks
• anomaly based - creates normal profile of system
  states or user behaviors (difficult to built,
  mobility challenges)
• Specification based
• detect attacks as deviations from a nomal profile
• manually developed specs, time-consuming

4
IDS - attacks

• Routing logic compromise
• Blackhole(man in the middle step)
• routing update storm
• Traffic Distortion
• Packet dropping, corruption, flooding
• Identify Impersonation

5
Existing Research-1Huang et al

• Cross-Feature Analysis-learning based method to
  capture correlation patterns.
• L features - f1,f2,,fL
• fi - feature characterizing topology or route
  activities
• Solve classification problem -
• Create Set Ci f1,,fi-1,fi1,,fL -gtfi,
• Ci - very likely to predict in normal
  circumstances, very unlikely during attack

6
Existing Research-1Huang et al
- An Illustrative Example
7
Existing Research-1Huang et al

• (Ex) Reachable, Delivered, Cached True, False,
  False
• (1) Average Match Count (AMC)
• gt (111)/3 1
• (2) Average Probability (AP)
• gt (0.51.01.0)/3 0.83

8
Existing Research-2 Marti et al

• Each node verifies that his data was forwarded
  correctly. (Protocal based on DSR - dynamic
  source routing)
• Watchdog and Pathrater to identify and respond to
  routing misbehaviors.
• Rate routes and use more reliable ones.

9
Watchdog

• A packet is traveling from S to D
• The packet reaches B and B forwards it to C
• A can overhear this transmission and verify that
  B has attempted to pass the packet to C

10
Pathrater

• Each node maintains a rating for every other node
  it knows about in the network
• Newly known nodes starting from 0.5
• Increase 0.01 if the node is used by active route
• Decrease 0.05 if detects a link break, and the
  node becomes unreachable during packet relay
• Assign 100 to misbehaving nodes
• Calculates the path metric by averaging the node
  ratings in the path, and choose the path with
  highest metric

11
Existing Research-3Tseng et al

• Based on AODV - specification based IDS
• Detects run time violations with Network Monitors
  
• FSM - specify behaviors of AODV
• Maintain RREP and RREQ messages

12
Example AODV Scenario with Network Monitors (NM,
N1 and N2)
Packets Seen by NM in Each Time Slot
Session Tree built by NM in Each Time Slot ( -
RREQ only RREQ and RREP)
13
Examples of Detecting Attacks
Existing Research-3Tseng et al

• Man in the middle attack
• And the sender of m1 and m2, M, is not the owner
  of SN (A or D)
• SN forged alarm is triggered and the attack is
  detected
• m1 and m2 is not able to fit in the session tree
  that active forged alarms will be triggered.

14
Existing Research-4 Huang and Lee

• More accurate, More information
• with Collaboration with neighbors
• Cluster based detection scheme
• FSM - Initial, Clique, Done, Lost
• Specification-based approach
• Ad-hoc On-demand Distance Vector (AODV)
  algorithm
• Resource constraint problems faced by a MANET are
  addressed when these protocols are designed.

15
Cluster-based Intrusion Detection
16
Cluster-based Intrusion Detection

• Finite State Machine of the cluster formation
  protocols

INITIAL
LOST
Cluster Recovery protocol
Clique Computation protocol
Cluster Valid Assertion protocol
Repair
Re-election timeout
CLIQUE
DONE
Cluster head Computation protocol
17
Existing Research-5 Sun et al

• Use Markov Chains to characterize feature
• Motivated by ZBIDS (zone based) - locally
  generated alerts inside the zone
• Gateway Nodes - broadcast alerts within the zone

18
Future Research Directions

• Distributed and Collaboration Model
• (Ask the surrounding nodes to confirm)

19
Future Research Directions

• Deployment Knowledge Understanding of deployed
  applications and related attacks
• the appropriate audit data sources
  consideration to use link change rate as an
  indication of mobility
• Probability distribution
• Light weight solution for estimation

20
The End