Insider attacker detection
1 / 52

Insider Attacker Detection - PowerPoint PPT Presentation

  • Uploaded on
  • Presentation posted in: General

Insider Attacker Detection. Presented by Fang Liu Outline. Introduction Detection of Faulty Sensors Detection of Routing Misbehaviors A General Solution – Insider Attacker Detection in Wireless Sensor Networks. Secure the Sensor Networks.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

Download Presentation

Insider Attacker Detection

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Insider attacker detection
Insider Attacker Detection

Presented by Fang Liu


  • Introduction

  • Detection of Faulty Sensors

  • Detection of Routing Misbehaviors

  • A General Solution

    – Insider Attacker Detection in Wireless Sensor Networks

Secure the sensor networks
Secure the Sensor Networks

  • Protecting confidentiality, integrity, and availability of the communications and computations

    • Sensor networks are vulnerable to security attacks due to the broadcast nature of transmission

    • Jamming, eavesdropping, etc.

  • Sensor nodes can be physically captured or destroyed

    • All information will be released if not tamper-resistant.

Compromised sensors
Compromised Sensors

  • Sensors are vulnerable.

    • Subject to physical attacks

    • Not tamper-resistant

  • Compromised nodes can launchinsider attacks.

    • False information

      • False readings, Data alteration, etc

    • Routing misbehaviors

      • Message negligence, selective forwarding, jamming, etc.

Challenges in detecting insider attackers
Challenges in Detecting Insider Attackers

  • Compromised nodes know all the information!

    • Cannot be detected with classical cryptographic security mechanisms

      • Authentication, Integrity protection, etc

  • Difficult to study the normal/abnormal node activities

    • Dynamic attacks

  • No centralized server to perform analysis and correlation

Existent solutions
Existent Solutions

  • Detection of False Information

  • Detection of Routing Misbehaviors

  • Our Work –

    A General Solution to Insider Attacker Detection in Wireless Sensor Networks

Detection of false information
Detection of False Information

  • Detecting and tolerating false information inserted by

    • Faulty sensors

    • Compromised sensors

  • Methods:

    • Centralized solution: The base station collects the data and checks the correctness [Shen ICC’01, Koushanfar et al. Sensors’03]

    • Secure data aggregation [Cao et al Mobihoc’06]

    • Fault-tolerant event detection: Disambiguate events from noise-related error, faulty sensors

      • 0/1 predicate

      • Comparison with neighborhood activities [Cheng et al. Infocom’05]

Detection of routing misbehaviors
Detection of Routing Misbehaviors

  • Routing misbehaviors:

    • Selective forwarding, packet dropping, etc.

  • One contemporary solution:

    • Forward packets only through nodes that share apriori trust relationship. But,

      • It requires key distribution.

      • Trusted nodes may be still overloaded, broken or compromised

      • Untrusted nodes may be well behaved.

Detection of routing misbehaviors1
Detection of Routing Misbehaviors

  • Method:

    • Detect with the help of base station

      • “Location-centric Isolation of Misbehavior and Trust Routing in Energy-constrained Sensor Networks”

    • Detect by monitoring the neighborhood

      • “Mitigating Routing Misbehavior in Mobile Ad Hoc Networks”

Location centric isolation of misbehavior and trust routing in energy constrained sensor networks
Location-centric Isolation of Misbehavior and Trust Routing in Energy-constrained Sensor Networks

  • Misbehavior model

    • Dropping of queries and data packets

  • Assume the availability of location information and the ability to perform geographic routing

  • Main procedure

    • Base stations send marked packets to probe sensors, and rely on the responses to identify and isolate insecure location

    • Sensors route packets to trusted neighbors

Trans components
TRANS Components in Energy-constrained Sensor Networks


Periodic beaconing

Trust routing protocol
Trust Routing Protocol in Energy-constrained Sensor Networks

  • Send packets only toward trusted neighbors

  • Trust table based security mechanism

Trans scenario
TRANS Scenario in Energy-constrained Sensor Networks

Trans scenario1
TRANS Scenario in Energy-constrained Sensor Networks

Isolating insecure location 1 2
Isolating Insecure Location(1/2) in Energy-constrained Sensor Networks

  • Finding Malicious Node (Probing)

    • E-TTL

      • Send probe packet with increasing hop-count

    • Binary

      • Send probe packet in a binary search fashion

    • One-Shot

      • Send probe packet along the path and each node replies its location

Isolating insecure location 2 2
Isolating Insecure Location(2/2) in Energy-constrained Sensor Networks

  • Isolating Method

    • Sink finds misbehaving node and generate Black List

    • Black List Geocast

      • Broadcast black list

      • Remove isolated node from neighbor list

      • Broadcasting overhead

    • Embedded Black List

      • Embedded black list in packet header

      • Detour point using geographic routing

Insider attacker detection
Summary: in Energy-constrained Sensor NetworksLocation-centric Isolation of Misbehavior and Trust Routing in Energy-constrained Sensor Networks

  • Routing misbehaviors detection and isolation

    • Centralized detection

    • Isolating Misbehavior node using black list

  • Trust routing protocol design

    • Trust evaluation may be not working for insider attackers

      • Based on authentication

Mitigating routing misbehavior in mobile ad hoc networks
Mitigating Routing Misbehavior in Mobile Ad Hoc Networks in Energy-constrained Sensor Networks

  • Ad hoc networks maximize total network throughput by using all available nodes for routing and forwarding.

  • A node may misbehave by agreeing to forward the packet and then failing to do so because it is

    • Overloaded, Selfish, Malicious or Broken

  • Few misbehaving nodes can have a severe impact

Proposed solutions
Proposed Solutions in Energy-constrained Sensor Networks

  • Install extra facilities in the network to detect and mitigate routing misbehavior.

  • Make only minimal changes to the underlying routing algorithm.

  • Two extensions to DSR - “Watchdog” and “Pathrater”

    • Watchdog identifies misbehaving nodes by overhearing transmissions

    • Pathrater avoids routing packets through these nodes

Assumptions in Energy-constrained Sensor Networks

  • Some assumptions are

    • Links between the nodes are bi-directional

    • Nodes are inpromiscuous mode operation

    • Malicious node does not work in groups




Watchdog in Energy-constrained Sensor Networks

  • The watchdog is implemented by maintaining a buffer of recently

  • Each overheard packet ismatchedwith the packet in the buffer

  • In case of a match, the packet in the buffer in removed

  • By overhearing, tampering of payload or header can also be detected

  • If the packet, however, has remained in the buffer for longer than a certain timeout

    • The watchdog increases the failure tally for the node responsible for forwarding on the packet

    • If the tally exceeds the threshold value, it determines that the node is misbehaving

Watchdog contd
Watchdog (Contd) in Energy-constrained Sensor Networks

  • Advantages

    • It can detect misbehavior at the forwarding level

  • Disadvantages are

    • Might not detect packet drops due to collisions

      • Ambiguous collisions

      • Receiver collisions

      • Limited transmission power

      • Others

Ambiguous collisions
Ambiguous Collisions in Energy-constrained Sensor Networks

  • The ambiguous problem prevents node A from overhearing transmission from B

A cannot overhead B



Packet # 1



Packet# 1

Packet # 1






Limited transmission power
Limited transmission Power in Energy-constrained Sensor Networks

  • Misbehaving node can control its transmission power to circumvent the watchdog

A cannot overhead B


Packet # 1

Packet # 1



Packet # 1






False misbehavior
False Misbehavior in Energy-constrained Sensor Networks

  • A reports that B is not forwarding packets when in fact it is.

When nodes falsely report other nodes as misbehaving


Packet # 1



Packet # 1






Failure Tally ++;

If (Failure Tally > Threshold)

notify source;

Collusion in Energy-constrained Sensor Networks

  • A forwards to B, but doesn’t report when B drops the packet.

Multiple nodes in collusion can mount a more sophisticated attack


Packet # 1



Packet # 1






Partial dropping
Partial Dropping in Energy-constrained Sensor Networks

  • B drops packets at a lower rate than the misbehavior detection threshold.

A node can circumvent the watchdog by dropping packets at a lower rate than the watchdog’s configured minimum misbehavior threshold



Packet # 1


Packet # 1

Packet # 2





Failure Tally ++;

If (Failure Tally > Threshold)

notify source;


Pathrater in Energy-constrained Sensor Networks

  • Each nodes maintain a rating for every other node it knows about in the network

  • A path metric is the Average of the Node ratings along the path.

  • The metric gives a comparison of the overall reliability of different paths

  • If there are multiple paths to the same destination, the path with the highest metric is chosen

Summary mitigating routing misbehavior in mobile ad hoc networks
Summary: Mitigating Routing Misbehavior in Mobile Ad Hoc Networks

  • Enable nodes to avoid malicious nodes (overloaded, malicious, selfish, broken) in their routes

    • Watchdog – identifies misbehavior nodes by listening to the next node’s transmission

    • Pathrater – helps routing protocols avoid these nodes

  • Allows nodes to use better paths and thus to increase their throughput

  • The watchdog determines a malicious through threshold comparison.

    • How the threshold value is calculated ? - it is one of the important factor in detecting malicious nodes

A framework for identifying compromised nodes in sensor networks
A Framework for Identifying Compromised Nodes in Sensor Networks

  • Identifying compromised nodes?

    • Use the alert information!

  • But, compromised nodes may …

    • Raise false alerts

    • Form a local majority and collude

    • Behave arbitrarily

  • An application-independent framework to identify compromised node based on alert reasoning

Assumptions Networks

  • Application-specific detection mechanisms

    • Beacon probing, watchdog …

  • Static sensor networks

    • Fixed observability relationship

  • Message confidentiality and integrity

    • Secure comm. with base stations

  • Trustable base stations

    • Centralized

An example
An Example Networks

  • The base station should:

    • Have the monitoring relationship

    • Consider the possibility of false alerts

    • Probe beacon nodes regularly



The sensor network

The observability graph

The framework
The Framework Networks

  • Sensor behavior model:

    • Reliability rm: the percentage of normal activities conducted by an uncompromised node.

  • Observer model:

    • Observability rate rb: s1 may not observe each activity of s2

    • Positive accuracy rp: s1 may not detect the abnormal activity of s2

    • Negative accuracy rn: s1 raise alert against s2, but s2 is normal.

  • Security estimation K

    • The max # of compromised nodes that the network can work

Identification of compromised nodes
Identification of compromised nodes Networks

  • Step 1: Label abnormal/normal alerts

    • Observe the alert pattern

      • Get the expected #Alerts raised by s1 against s2

      • Compare with the actual #Alerts

        • > expected#: abnormal; o.w. normal

Observability rate


Negative accuracy

Positive accuracy

Pb(alert: i against j)

fj(x): the distribution fo #events that can be sensed by j

Rij(t): expected # of alerts raised by i against j, when i, j are uncompromised

Identification of compromised nodes1
Identification of compromised nodes Networks

  • Step 2: Derive suspicious node pairs

    • Labelled observability graph G’(V,Ea+En)

    • Node si and sj are a suspicious pair if:

      • (si,sj) or (sj,si) is in Ea, or

      • s’ exists

        • (si,s’) in Ea & (sj,s’) in En, or,

        • (si,s’) in En & (sj,s’) in Ea.

At least one of the suspicious pair is compromised!



Identification of compromised nodes2
Identification of compromised nodes Networks

  • Step 3: Find the compromised nodes

    • Definition: valid assignment

  • To identify the common nodes in all possible assignments: CompromisedCore

  • The largest number of truly compromised nodes, no false alarms

Alert reasoning algorithm
Alert reasoning algorithm Networks

  • Lemma 3.1: Given an inferred graph I(V;E), let VI be a minimum vertex cover of I. Then the number of compromised nodes is no less than |VI|.

  • Theorem 3.1 Given an inferred graph I and a security estimation K, for any node s in I, s in CompromisedCore(I;K) if and only if |Ns|+CI’s > K.

    • NP-complete

Min vertex cover

Alert reasoning algorithm1
Alert reasoning algorithm Networks

  • Corollary 3.1: Given an inferred graph I and a security estimation K, for any node s in I, if |Ns|+MI’s > K, then s in CompromisedCore(I;K).

    • Maximal matching: MG ≤ CG ≤ 2MG

    • |Ns|+CI’s > |Ns|+MI’s > K

    • Polynomial

Simulation Networks

  • General+mm:

    • The general AppCompromisedCore algorithm + maximum matching

  • EigenRep

  • PeerTrust

    • Reputation-based trust functions for P2P

  • Majority Voting

Summary a framework for identifying compromised nodes in sensor networks
Summary: NetworksA Framework for Identifying Compromised Nodes in Sensor Networks

  • Detection algorithm with maximum accuracy without false alarms

  • Effective with local majority

  • However,

    • A priori knowledge about:

      • sensor behavior model

      • observer model: the accuracy of the alert

        • Observability rate, positive accuracy, negative accuracy, etc.

    • Centralized: the base station does the detection!

The common methodology
The Common Methodology Networks

 Requires application-specific knowledge!

Suspicious Behavior Detection


0/1 predicate

Information Collection


Diagnosis and notification

of the detection result

Reputation evaluation, threshold comparison, etc.

Our work a general solution to insider attacker detection
Our Work – A General Solution to Insider Attacker Detection

  • Insider attackers

    • Compromised nodes under the control of the adversary

    • Data alteration, Message negligence, Selective forwarding, etc

  • Challenges:

    • The insider attacker knows all the secret information!

    • The detection scheme must be efficient, flexible, and localized

    • Cannot use cryptography-based techniques

    • Localized statistical analysis?

The basic idea
The Basic Idea Detection

  • Observation: Similar networking behaviors in close neighborhood.

  • Detection of insider attackers with a light, flexible and localized algorithm?

    • Measure the networking behaviors of neighboring nodes

      • E.g. packet dropping rate, packet sending rate, forwarding delay time, etc.

    • Detect if any abnormal activities exist

       Exploiting the spatial correlation among neighboring sensors!

The basic algorithm
The Basic Algorithm Detection

  • Information Collection

    • Node x gets f (xi) for each neighbor xi in N(x)

  • Outlier Detection

    • Assume f (xi) ~ Nq(μ,Σ), then the Mahalanobis squared distance d2(xi) = (f (xi) -μ)TΣ-1(f (xi) -μ) ~ χ2q. Thus, Prob(d2(xi)> χ2q(α)) = α.

    • xi could be an outlier if d2(xi) is sufficiently large.

  • Majority Vote

Two extensions
Two Extensions Detection

  • Estimate (µ,Σ) from the data set {f(xi)} with the existence of outliers?

    • If f(xi) ~ Nq(μ,Σ), d2(xi) = (f(xi) -μ)TΣ-1(f(xi) -μ) ~ χ2q

    • (µ,Σ) is about the population of normal sensors

    • Cannot use sample mean, sample covariance-covariance to estimate (µ,Σ)

       Robust statistics: Orthogonalized Gnanadesikan-Ketterring (OGK)

Two extensions1
Two Extensions Detection

  • For a sparse network, information is collected from multi-hop neighborhood, which may be inserted with false data.

     Trust-based false information filtering

B: (21,42,39)



B: (20,30,39)





B: (18,31,37)

Trust based false information filtering
Trust-based false information filtering Detection



Sensor (A) should select a reliable relay node (D or F?) based on its own observation.





A’s monitoring results

Trust value

C: (19,32,40)

D: (22,11,42)

E: (21,29,38)

F: (19,31,39)

C: (0.83,0.63,0.15)

D: (1.17,1.49,1.31)

E: (0.50,0.33,1.02)

F: (0.83,0.53,0.44)

C: 0.83

D: 1.49

E: 1.02

F: 0.83

C: 1

D: 0.56

E: 0.81

F: 1






Performance evaluation 1 3

Evaluation metrics Detection

Detection accuracy:

False alarm:

Simulation settings

Sparse or Dense networks

Compromised relay nodes:

Performance Evaluation (1/3)

D: Identified outliers

O: Real outliers

Performance evaluation 2 3
Performance Evaluation (2/3) Detection

  • Dense networks

Performance evaluation 3 3
Performance Evaluation (3/3) Detection

  • Sparse networks

Conclusion Detection

  • Achieves high detection accuracy, with low false alarm rate

  • Works well with 25% misbehaving sensors

  • Requires no a priori knowledge about network activities

  • Relies on localized information exchange only

  • Login