1 / 34

Intrusion Detection Techniques for Mobile Wireless Networks

Intrusion Detection Techniques for Mobile Wireless Networks. Zhang, Lee, Yi-An Huang Presented by: Alex Singh and Nabil Taha. Outline. Introduction Intrusion Detection and the Challenges of Mobile Ad-Hoc Networks An Architecture for Intrusion Detection

andres
Download Presentation

Intrusion Detection Techniques for Mobile Wireless Networks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Intrusion Detection Techniques for Mobile Wireless Networks Zhang, Lee, Yi-An Huang Presented by: Alex Singh and Nabil Taha

  2. Outline • Introduction • Intrusion Detection and the Challenges of Mobile Ad-Hoc Networks • An Architecture for Intrusion Detection • Anomaly Detection in Mobile Ad-Hoc Networks • Experimental Results • Conclusion

  3. Introduction • Rapid proliferation of wireless networks changed the landscape of network security • Traditional firewalls and encryption software no longer sufficient • Need new mechanisms to protect wireless networks and mobile computing application

  4. Checklist • Examine vulnerabilities of wireless networks • Discuss intrusion detection in security architecture for mobile computing environment • Evaluate such architecture through simulation experiments

  5. Vulnerabilities of Wireless Networks • Wireless links leaves the network susceptible to • Passive eavesdropping • Active interfering • Mobile nodes are capable of roaming independently • Decision-making in wireless networks rely on cooperative algorithms

  6. Intrusion Detection and the Challenges of Mobile Ad-Hoc Networks • Intrusion – Any set of actions that attempt to compromise the integrity, confidentiality, or availability of a resource • Intrusion Prevention – Primary defense (i.e. Passwords, Biometrics) • Intrusion Detection Systems (IDSs)– Second wall of defense

  7. Network-based IDS – Runs at the gateway of a network and examines network packets that go through the network hardware interface Host-based IDS – Relies on operating system audit data to monitor and analyze the events generated by programs or users on the host Categories of IDSs

  8. Misuse Detection – uses patterns of well known attacks or weak spots to identify known intrusions. ex: guessing password, locks account after 4 failed attempts. Lacks ability to detect newly invented attacks Anomaly Detection – flags activates that differ significantly from the established normal usage. ex: frequency of program usage much lower or much higher than normal usage Does not need prior knowledge of attacks High false positive rate Intrusion Detection Techniques

  9. Problems with current IDSs • Fixed infrastructure IDS techniques can not be directly applied to mobile ad-hoc networks • Rely on real-time traffic analysis • Must be done at the system for mobile ad-hoc networks and not at a gateway, switch or router • Mobile users tend to adopt new operations modes such as disconnected operations

  10. Questions for a Viable IDSs • What is a good system architecture for building intrusion detection and response systems • What are the appropriate audit data sources and how do we detect anomaly based on partial, local audit traces • What is a good model of activities in a mobile computing environment that can separate an anomaly from normalcy

  11. An Architecture for Intrusion Detection

  12. IDS agent

  13. Data Collection • Gathers streams of real-time audit data from various sources • Includes: • System activities • User activities • Communication activities by this node • Communication activities by other nodes within this radio range • This supports multi-layered intrusion detection method

  14. Local Detection • The local detection engine analyzes the local data traces gathered by the local data collection module for evidence of anomalies. • Includes both misuse detection or anomaly detection

  15. Cooperative Detection • Any node can initiate a response if it has strong enough evidence about intrusion • If the node only has weak or inconclusive evidence, it can warrant a broader investigation • Possible to detect intrusion even when evidence at individual nodes is weak

  16. Intrusion Response • The type of intrusion response depends on: • Type of intrusion • Type of network protocols • Type of applications • Confidence (or certainty) in the evidence • Typical Responses: • Re-initiate communication channels between nodes • Identify compromised node and exclude it

  17. Multi-Layer Integrated Intrusion Detection and Response • With wireless networks, there are vulnerabilities in multiple layers and intrusion detection module needs to be placed at each layer on each node • Need to coordinate intrusion detection and response efforts between layers • Enables us to analyze the attack scenario in its entirety

  18. Anomaly Detection in Mobile Ad-Hoc Networks • Anomaly detection works on the premise that there is intrinsic and observable characteristic of normal behavior that is distinct from that of abnormal behavior • We can use a classifier, trained using normal data, to predict what is normally the next event given the previous n events

  19. Procedure for Anomaly Detection • Select audit data • Perform appropriate data transformation • Compute classifier using training data • Apply classifier to test data • Post-process alarms to produce intrusion reports

  20. Attack on Routing Protocols • Route Logic Compromise – Manipulating routing information • Misrouting: forwarding a packet to an incorrect node • False Message Propagation: distributing a false route update • Traffic Patter Distortion – Changes default/normal traffic behavior • Packet dropping • Packet generation with faked source address • Corruption on packet contents • Denial-of-service

  21. Audit Data • Local Routing Information, including cache entries and traffic statistics • Position locater or GPS which is assumed to not be compromised • Only local information is used since remote nodes can be compromised

  22. Feature Selection • Since we use classifiers as detectors we need to select/construct features from the available audit data • A large feature set is first constructed to cover a wide range of behaviors • Several training runs are conducted and features that occur more than a minimum threshold are selected into the Essential Feature Set

  23. Classifier • Two classifiers were used in the study • RIPPER – A rule induction program, searches the given feature space and computes rules that separate data in appropriate classes • SVM light – Support Vector Machine classifier, pre-process the data to represent patterns in much higher dimension than the given feature space

  24. Post-processing • Choose a parameter l and let the window size be 2l+1 • For a region in the current window if there are more abnormal than normal predictions then the entire region is marked abnormal • Shift the window and repeat • Count all continuous abnormal regions as one intrusion session

  25. Detecting Abnormal Updates to Routing Tables • Routing table contains at a minimum the next hop to each destination node and the distance • Physical movement is measured by distance and velocity • The routing table change is measured by the percentage of changed routes – PCR • And the percentage of changes of all hops of all the routes – PCH

  26. Computing Normal Profile • Denote PCR the class (i.e. concept), and distance, velocity, and PCH, etc. the features describing the concept; • Use n classes to represent the PCR values in n ranges, ex, we can use 10 classes each representing 10 percentage points - that is, the trace data belongs to n classes • Apply a classification algorithm to the data to learn a classifier for PCR • Repeat the above for PCH, that is, learn a classifier for PCH

  27. Finding Anomalies • If abnormal data is not available compute clusters of the deviation scores where each score pair is a point (PCR, PCH) then the outliers can be considered anomalies

  28. Detecting Abnormal Activities in Other Layers • Anomaly detection in other layers (MAC protocols, application, services, etc.) use a similar approach • MAC protocols- form cluster using the deviations of the total number of channel requests and the total number of nodes making the request during a time period s

  29. Experimental Results

  30. Discussion • Anomaly detection works much better on a routing protocol in which a degree of redundancy exists within infrastructure • DSR embeds a whole source route in each packet dispatched • This makes it harder to hide intrusion by faking a bit of routing information

  31. Conclusions • Mobile Wireless networks require different techniques to detect intrusions • Anomaly detection is a critical part of component of intrusion detection and response • Trace analysis and anomaly detection should be done locally and possibly through cooperation with all nodes in the network • Paper focused on ad-hoc routing protocols since they are the foundation of a mobile ad-hoc network

  32. Conclusions – Routing Protocols • Use anomaly detection models constructed using information available from the routing protocols • Apply RIPPER and SVM Light to compute classifiers • Showed that these detectors in general have good detection performance with SVM Light having better performance

  33. Conclusions - findings • They noted some disparity in security performance among different types of routing protocols • They claimed that protocols with strong correlation among changes of different types of information(location, track and routing message) tend to have better detection performance • And on-demand protocols usually work better than table-driven protocols

More Related