Intrusion Detection in Wireless Ad Hoc Networks - PowerPoint PPT Presentation

1 / 37
About This Presentation
Title:

Intrusion Detection in Wireless Ad Hoc Networks

Description:

Cooperation Of Nodes - Fairness In Dynamic Ad-hoc NeTworks. Hierarchical Architecture ... of IEEE/ACM Symposium on Mobile Ad Hoc, 2002 ... – PowerPoint PPT presentation

Number of Views:521
Avg rating:3.0/5.0
Slides: 38
Provided by: quyi
Category:

less

Transcript and Presenter's Notes

Title: Intrusion Detection in Wireless Ad Hoc Networks


1
Intrusion Detection in Wireless Ad Hoc Networks
  • Yi Qu
  • University of Ottawa
  • 2008.11.4

2
Outline
  • Basic Concept
  • Intrusion Detection Approaches
  • ID System Architectures
  • Summary
  • QA

3
Security Requirements Dje05
  • Availability
  • Authentication
  • Confidentiality
  • Integrity
  • Non-repudiation

4
Four Types of Attack
Attack on Availability
Attack on Confidentiality
Attack on Integrity
Attack on Authentication
5
Secure Services Model Sto01
ID is second defense line after preventive
security services
6
MANET Features Impact on Security
  • Infrastructureless
  • security solution rely on a distributed
    cooperative scheme instead of a centralized
    scheme.
  • Multi-hop
  • malicious/uncooperative node along the path
  • Memory and computation power limitation
  • high complexity security solutions are difficult
    to implement.

7
Intrusion Detection vs. Secure Routing
  • Intrusion Detection include the detection
    (internal) attacks against routing and data
    forwarding.
  • Secure Routing which mainly focus on how to avoid
    disrupting protocol execution by keeping
    attackers outside networks using various
    authentication mechanism

8
Attacks against Routing
  • Modification
  • modify route sequence number, hop number or
  • source route
  • Fabrication
  • Falsifying route errors Broadcast falsified
    routes
  • Tunneling/Wormhole
  • Rushing attack
  • Spoofing (concerned by secure routing)

9
Attacks against Data forwarding
  • Dropping Data Packets
  • Attack routing first to gain participation in
    the routing, then drop packet to be forwarded.
    (also named as sinkhole, black hole, grey hole,
    selective forwarding and misleading etc.)
  • Selfish Behavior
  • Not forwarding packet to save own battery, but
    not attacking routing
  • In summary, essential of intrusion is not
    forwarding data packets as expected

10
Intrusion Detection Models
  • Monitoring location
  • Host-based collect data in local host, such as
    system call activities, communication activities,
    other traces
  • Network-based check network activity and
    packets
  • Detection profile
  • Anomaly Detection raise flag when deviation to
    normal behavior is over threshold
  • Signature/Misuse Detection match signature
    (misuse pattern) of predefined intrusion types

11
Outline
  • Basic Concept
  • Intrusion Detection Approaches
  • ID System Architectures
  • Summary
  • QA

12
Classification
  • Intrusion Preventive Approaches
  • - Economic-based
  • Intrusion Detection Approaches
  • - Reputation-based
  • - Statistic-based

13
Economic-based Intrusion Preventive (1)
  • Nuglet
  • Nodes which use a service must pay for it (in
    virtual currency or nuglets) to nodes that
    provide the service.
  • - How to represent nuglets is a problem?
  • - A well-behaved node that is not asked to route
    enough packets could not earn nuglets and will be
    unable to send its own packets.

14
Economic-based Intrusion Preventive (2)
  • SCAN (token-based)
  • Each node need token in order to participate
    in network operations.
  • - Node renew its token via its multiple
    neighbors signed by a Shared Key.
  • - The token of a convicted malicious node will
    be revoked.

15
Reputation-based Intrusion Detection
  • The opinion a node has of another is called
    reputation. Based on this reputation, the node
    determine whether to cooperate with another node.
  • Reputation systems can be used to cope with any
    kind of misbehavior as long as it is observable.

16
Reputation-based Functions
  • Monitoring
  • Get first-hand information about a nodes
    behavior by taking account the packet received
    and overhearing next hop nodes activity. Usually
    signature detection model is used.
  • Reputation
  • Keep and update reputation rating
  • Response
  • Isolating the nodes that are deemed misbehaving

17
Watchdog Pathrater (1)
  • watchdog is the monitoring part
  • path rater is the combined reputation and
    response part.
  • One of the prior of reputation-based IDS,
    commonly used monitoring mechanism by many IDS,
    cited by 1135

18
Watchdog Pathrater (2)
  • Watchdog detects non-forwarding by overhearing
    the transmission of the next node.
  • Once misbehavior is detected, the source of the
    concerned path is informed. Each node maintains a
    rating for every other node it knows about.
  • Nodes select routes with the highest average node
    rating.

19
Watchdog Pathrater (3)
  • Weaknesses of Watchdog mechanism
  • Ambiguous collisions
  • Receiver collisions
  • Limited transmission power
  • B forward packet with limited power that can not
    reach the real recipient, but can be overheard by
    A
  • Collusion
  • A?B?C BC in collusion, C drop packet, B does
    not report to A.
  • Partial dropping
  • drop some packets but not exceed the threshold

20
Statistic-based Intrusion Detection
  • Take the anomaly detection model
  • Profile the statistic of normal behavior and
    compare to the statistic of audit data.
  • Need sufficient data gathering (including both
    training" and testing" processes), refined
    features and modeling algorithms to generate a
    good anomaly detection profile.

21
Statistic-based IDS Example Zhang00
  • statistical anomaly detection. illustrated by
    host-based audit data (routing table change
    statistic)
  • use data on the node's physical movements and
    the corresponding change in its routing table as
    the basis of the trace data.
  • PCR- percentage of changed routes
  • PCH- per. of changes in the sum of hops of all
    the routes

22
Outline
  • Basic Concept
  • Intrusion Detection Approaches
  • ID System Architectures
  • Summary
  • QA

We have seen the approaches how intrusions are
prevented or detected by handling the audit data,
now lets see from the view of a ID system
Architectures
23
Architecture Overview
  • Stand-alone
  • Distributed and Cooperative
  • Could use alone or combined with one or two of
    below architectures
  • - Hierarchical
  • - Agent-based

24
Stand-alone Architecture
  • IDS is run on each node independently to
    determine intrusions. No cooperation between
    nodes to exchange reputation information about
    others.
  • Pro simple and claimed no need to maintain
    trust-management machinery
  • Con vulnerable to malicious routing

25
OCEAN
  • NeighborWatch
  • similar to watchdog, maintains ratings for each
    its neighbors
  • Rank-Based Routing
  • transmitter add a new field in RREQ, avoid-list
    which is the list of nodes it wishes to avoid
  • Vulnerable to malicious routing

26
Distributed Cooperative Architecture
  • MANET nature is distributed cooperative
  • Cooperation help individual node to make decision
    (using second information) when the local
    evidence is inconclusive.
  • Cooperation alleviate attack on IDS itself, but
    need support of trust-management

27
A Prior of Distributed Cooperative IDS
Distributed and Cooperative IDS in MANETs
proposed by Zhang 2000
28
CONFIDANT
Cooperation Of Nodes - Fairness In Dynamic Ad-hoc
NeTworks
monitor neighbors, update reputation, take
response and send alarm to friends
29
Hierarchical Architecture
  • Hierarchical IDS extend the distributed and
    cooperative IDS and is proposed for multi-layered
    network infrastructures
  • Cluster head can monitor its nodes thus to save
    their resources, or it can collect monitoring
    report from nodes and do some additional work.

30
Hierarchical Example Sterne05
31
Agent-based Architecture
  • Separate functional tasks into categories and
    assigning each task to a different agent, the
    workload is distributed
  • Save energy by offloading some tasks
  • eg. Cluster node need not packet-level
    monitoring
  • Different nodes do best in different tasks
  • eg. cluster head is good at making decision
    because it have both network-level information
    and host-based information of all its nodes.

32
Agent-based Example Kach03
  • Packet-level monitoring agent and Decision agent
    are only running in cluster head
  • All nodes have Action agent and host-based
    monitoring agent for User-level and System-level

33
Summary
  • Many IDS are reputation-based using signature
    detection model for simple misbehavior of packet
    dropping.
  • Good statistical profile for anomaly detection
    model is a challenge. But it allows detection
    performed locally in each node.
  • Most IDS take distributed cooperative
    architecture which match the nature of MANET.
    Trust-management is a key part.
  • Agent-based approach is a trend for its efficient
    manner

34
QA
  • 1. What is advantage and disadvantage of
    Signature Detection model to Anomaly Detection
    model?
  • A Signature Detection is accurate, but can not
    detect intrusion without signature defined while
    Anomaly Detection may cause false accusation, but
    can detect new type of intrusion.

35
QA
  • 2. The mechanism like WatchDog is a common way to
    monitor network activity, it has some weakness.
    Besides some malicious attacks, it is inaccurate
    monitoring, Please give one example.
  • A ambiguous collisions,
  • receiver collisions,

36
QA
  • 3. Explain the efficient manner of agent-based
    architecture.
  • A Agent-based architecture are efficient in at
    least below 2 points
  • Save energy by offloading some tasks
  • Different nodes do best in different tasks.

37
References
  • Dje05 D. Djenouri,  A survey of security issues
    in mobile ad hoc and sensor networks,
    Communications Surveys Tutorials, IEEE, 2005
  • Sto01
  • Sterne05 D. Sterne et.al., AGeneral
    Cooperative Intrusion Detection Architecture for
    MANETs, Proceedings of the 3rd IEEE
    International Workshop on Information Assurance
    (IWIA05), pp. 57-70, March 2005.
  • CONFIDANT S Buchegger, JY Le Boudec, Analysis
    of the CONFIDANT Protocol Cooperation Of Nodes -
    Fairness In Dynamic Ad-hoc NeTworks, Proc. of
    IEEE/ACM Symposium on Mobile Ad Hoc, 2002
  • Zhang00 Y. Zhang and W. Lee, Intrusion
    Detection in Wireless Ad Hoc Networks, 6th
    Intl. Conf. Mobile Comp. and Net., Aug. 2000,
    pp. 27583.
  • OCEAN S. Bansal and M. Baker,
    Observation-Based Cooperation Enforcement in Ad
    hoc Networks, Research Report cs.NI/0307012,
    Stanford University, 2003.
  • Watchdog S. Marti et al., Mitigating Routing
    Misbehavior in Mobile Ad Hoc Networks, Proc.
    MOBICOM 2000, 2000, pp. 25565
  • SCAN Hao Yang et.al, SCAN Self-Organized
    Network-Layer Security in Mobile Ad Hoc
    Networks, IEEE JOURNAL ON SELECTED AREAS IN
    COMMUNICATIONS, VOL. 24, NO. 2, FEBRUARY 2006
Write a Comment
User Comments (0)
About PowerShow.com