1 / 51

Intrusion Detection for Wireless Sensor Networks

Intrusion Detection for Wireless Sensor Networks. Qualifying Exam 28 th April 2005 Presented by Edith Ngai Supervised by Prof. Michael R. Lyu. Outline. Background Research direction Intrusion detection for WSN Tracing network attacks Conclusion & Proposed future work. Technology trend.

cosima
Download Presentation

Intrusion Detection for Wireless Sensor Networks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Intrusion Detection for Wireless Sensor Networks Qualifying Exam 28th April 2005 Presented by Edith Ngai Supervised by Prof. Michael R. Lyu

  2. Outline • Background • Research direction • Intrusion detection for WSN • Tracing network attacks • Conclusion & Proposed future work

  3. Technology trend • Small integrated devices • Smaller, cheaper, more powerful • PDAs, mobile phones • Many opportunities, and research areas • Power management • Distributed algorithms

  4. Wireless sensor networks • Wireless sensor node • power supply • sensors • embedded processor • wireless link • Many, cheap sensors • wireless  easy to install • intelligent  collaboration • low-power  long lifetime

  5. Possible applications • Military • Asset monitoring and management, battlefield surveillance, biological attack detection • Ecological • fire detection, flood detection, agricultural uses • Health related • Medical sensing, microsurgery • General engineering • car theft detection, inventory control, residential security

  6. Requirements • Low energy use • Efficient use of small memory • In-network data processing • large amounts of raw data • limited power and bandwidth • Efficient data routing • Node localization

  7. WSN vs MANET

  8. Security in WSN • Main security threats in WSN are: • Radio links are insecure – eavesdropping / injecting faulty information is possible • Sensor nodes are not temper resistant – if it is compromised the attacker obtains all security information • Protecting confidentiality, integrity, and availability of the communications and computations

  9. Why security is different? • Sensor Node Constraint • Battery • CPU power • Memory • Networking Constraints and Features • Wireless • Ad hoc • Unattended

  10. Network defense React - Response - Terminate Connections - Block IP Addresses - Containment - Fishbowl - Recovery - Reconstitute Protect - Encryption - Firewalls - Authentication - Biometrics Detect - Intrusions - Attacks - Misuse of Resources - Data Correlation - Data Visualization - Malicious S/W - Network Status/ Topology

  11. What is intrusion detection? • Intrusion detection is the process of discovering, analyzing, and reportingunauthorized or damaging network or computer activities • Intrusion detection discovers violations of confidentiality, integrity, and availability of information and resources

  12. What is intrusion detection? • Intrusion detection demands: • As much information as the computing resources can possibly collect and store • Experienced personnel who can interpret network traffic and computer processes • Constant improvement of technologies and processes to match pace of Internet innovation

  13. How useful is intrusion detection? • Provide digital forensic data to support post-compromise law enforcement actions • Identify host and network misconfigurations • Improve management and customer understanding of the Internet's inherent hostility • Learn how hosts and networks operate at the operating system and protocol levels

  14. Intrusion detection models • All computer activity and network traffic falls in one of three categories: • Normal • Abnormal but not malicious • Malicious • Properly classifying these events are the single most difficult problem -- even more difficult than evidence collection

  15. Intrusion detection models • Two primary intrusion detection models • Network-based intrusion detection monitors network traffic for signs of misuse • Host-based intrusion detection monitors computer processes for signs of misuse • So-called "hybrid" systems may do both • A hybrid IDS on a host may examine network traffic to or from the host, as well as processes on that host

  16. IDS paradigms • Anomaly Detection – look for abnormal • Misuse Detection – pattern matching • Burglar Alarms - policy based detection • Honey Pots - lure the hackers in • Hybrids - a bit of this and that

  17. Anomaly detection • Goals: • Analyze the network or system and infer what is normal • Apply statistical or heuristic measures to subsequent events and determine if they match the model/statistic of “normal” • If events are outside of a probability window of “normal”, it generates an alert

  18. Anomaly detection (cont) • Typical anomaly detection approaches: • Neural networks - probability-based pattern recognition • Statistical analysis - modeling behavior of users and looking for deviations from the norm • State change analysis - modeling system’s state and looking for deviations from the norm

  19. Misuse detection • Goals: • Know what constitutes an attack • Detect it • A database of known attack signatures should be maintained

  20. Misuse detection (cont) • Typical misuse detection approaches: • “Network grep” - look for strings in network connections which might indicate an attack in progress • Pattern matching - encode series of states that are passed through during the course of an attack • e.g.: “change ownership of /etc/passwd” -> “open /etc/passwd for write” -> alert

  21. Research DirectionIntrusion Detection for WSN

  22. Types of attack • Physical attack • Physical damage, destroy, tamper • MAC layer attack • Jamming • Network layer attack • Misdirection on routing • Selective forwarding • Sinkhole attack • Wormhole attack • Sybil attack • Rushing attack • Hello flood attack • Application layer attack • Denial of service

  23. Research proposal

  24. Audit data • Application data from sensors • Routing information • Node behavior record • Network topology

  25. Data collection • Localization • Data fusion • Routing • Behavior monitoring • History recording

  26. Procedures • Intrusion Detection • Discover suspicious activity from audit data • Detect the intrusions • Classify the type of intrusions • Intrusion Tracing • Trace of source of intrusions • Identify and locate the intruders • Intrusion Reaction • Resist to the intrusions • Defend against further intrusions

  27. Intrusion Detection in WSN

  28. Network model • BSj: base station at location (Xj, Yj) • Si: sensor node at location (xi, yi) • R: transmission range of the base station • r: transmission range of the sensor node • k-coverage: a node covers by k BSs

  29. Definitions • Coverage of a base station • Number of coverage from base stations • p sends data to q successfully (in 1-hop) • p sends data to q successfully via k hops • p fails in sending data from p to q

  30. Types of intrusions • Sinkhole SH(q), HelloFlood HF(q) • A region of nodes will forward packets destined for a BS through an adversary • Wormhole WH(q) • An adversary tunnels messages received in one part of the network over a low latency link and replays them in a different part

  31. Types of intrusions • Missing Data MD(Ci) • Missing data from p to BSi • Wrong Data (local) WDL(p) • Inconsistent data • Selective Forwarding / Interference • Sensor p does not forward data to its neighboring nodes

  32. Architecture

  33. Intrusion detection components • Data fusion • Local – neighboring nodes • Global – overlapping areas • Topology discovery • Route tracing • History • Neighbor monitoring • Watchdog

  34. Intrusion detection Attack Types: I - Sinkhole, Hello Flood II – Wormhole III – Missing Data IV – Wrong Data V - Interference

  35. Intrusion Tracing in WSN

  36. Related work • IP Traceback in traditional network • Packet marking • ICMP traceback message

  37. Related work • “dead” node • cases sending or routing measurement as died • “silent” node • Ceases sending but status not determined

  38. Tracing sinkhole attack • Adversary lures nearly all traffic from a particular area through a compromised node • Attracts network traffic by advertising a high quality path to the BS • Common kind of violation is selective forwarding 1

  39. Attack region detection • The BS can detect the list of nodes affected by the intrusions • Missing data • Inconsistent data • Circle the attack area

  40. Probing • Collect the next hop, hop counts from the nodes in the affected area • At the beginning of a suspicious sinkhole attack occurs BS -> N(x): <probing, BSi> • When a probing message is received from N(x) x -> y (neighbors of x): <probing, x, BSi> • When node y receives a probing message y -> x: <y, shortest_next_hop, shortest_hop_count> (routing information to BS) y -> y’ (neighbors of y): <probing, y, BSi> • The processes (3) repeats until the request messages reach the boundary of the attack area

  41. Identify the sinkhole • Sinkhole does not have outgoing edges • Incoming edges to sinkhole should provide minimum no. of hop counts to BS Search from the leaf nodes to the root (Sinkhole)

  42. With colluding nodes Missing information Routing loop Wrong routing information Misleading Sinkhole Attack area with colluding nodes (a) missing information (b) cycles (c) misleading sinkhole (d) identification sinkhole using hop counts

  43. Enhanced algorithm • Finding array on hop counts Call method “checkRootByCount” for each roots for each root r initialize a new array count checkRootByCount(r, count, 1); if (count[0] => numNode(r)/2) r is a correct root. end if end for checkRootByCount (Node r, Array count, int depth) depth = depth +1 for each precedent node p of r increase count[ w(p,r) – depth ] by 1 checkRootByCount(p, count, depth) end for end checkRootByCount Calculate the array “Count”

  44. Enhanced algorithm • for each root r • initialize a new Array count • initialize a new Path correctPath • checkRootByCount(r, count, 1) • S = {x>0 | forall y>0, count[x]+count[-x]>count[y]+count[-y]} • x = min (S) • correctRoot(r, r, x, 0, correctPath , count[0]) • apply correctPath on Network G • end for • correctRoot (Node r, Path p, int totalLevel, int currentLevel, Path correctPath, int bestCount) • if (currentLevel >= totalLevel) • return • end if • currentLevel= currentLevel+1 • for each precedent node c of r • initialize a new Array count • reverse edge (c,r) • checkRootByCount (c, count, 1) • if (count[0]> bestCount) • correctPath = p->c • end if • correctRoot(c, p->c, totalLevel, currentLevel, correctPath , bestCount) • reverse edge(c,r) • end for • end correctRoot Calculate no. of hop counts for correction Correct the root by specifying another suspicious Sinkhole Calculate the array “Count” again Select the best result

  45. Example – Before correction Value provided by node Y = 3 Deduced value from Y to SH’ = 4 Count of node Y = 3 – 4 = -1 (=>SH should be 1 hop closer than SH’) Value provided by node X = 4 Deduced value from X to SH’ = 3 Count of node X = 4 – 3 = 1 (=>SH should be 1 hop farther away than SH’) Y X 1

  46. Example – After correction Value provided by node Y = 3 Deduced value from Y to SH’ = 3 Count of node Y = 3 – 3 = 0 (=>hop count agrees with SH) Value provided by node X = 4 Deduced value from X to SH’ = 4 Count of node X = 4 – 4 = 0 (=>hop count agrees with SH) Y X

  47. Conclusion & Proposed Work

  48. Required technologies • Collection of the audit data • Localization • Data fusion • Routing • Analysis on the audited data • Identifying the intrusion characteristics • Detecting the intrusions • Locating the intrusions • Intrusion reaction

  49. Proposed work • Study how to collect the audit data effectively and complete the intrusion detection architecture • Investigate the methods to analyze the audited data for intrusion detection • Propose new methods to identify and locate the intruders (for various attacks) • Study and explore reactive measures to defend against the detected intrusions • Formulate and evaluate our intrusion detection framework which is expected to be effective in detecting and resisting to the many types of intrusions

  50. Conclusion • We discussed the characteristics of WSN and its security issues • We studied traditional intrusion detection technologies • We introduced our intrusion detection framework in our research proposal • We proposed an intrusion detection architecture and analyzed some kinds of intrusions can be detected • We proposed an algorithm for tracing Sinkhole attack for WSN • We presented our proposed future work

More Related