1 / 22

Protecting Mobile Ad Hoc Network Routing Infrastructure with Intrusion Detection Systems

Protecting Mobile Ad Hoc Network Routing Infrastructure with Intrusion Detection Systems. Yi-an Huang and Wenke Lee College of Computing Georgia Institute of Technology. Outline. Motivation and Attack Analysis on Mobile Ad Hoc Networks IDS Design Intrusion Detection

red
Download Presentation

Protecting Mobile Ad Hoc Network Routing Infrastructure with Intrusion Detection Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Protecting Mobile Ad Hoc Network Routing Infrastructure with Intrusion Detection Systems Yi-an Huang and Wenke Lee College of Computing Georgia Institute of Technology

  2. Outline • Motivation and Attack Analysis on Mobile Ad Hoc Networks • IDS Design • Intrusion Detection • Architecture: Node-based vs. cluster-based • Approach: Specification-based vs. statistics-based • Intrusion Response: Traceback and Filtering • Future Work • Better machine learning approaches • Verification of protocol state machine and distributed protocols

  3. Mobile Ad Hoc Networks (MANET) • Concepts • Mobile hosts with no fixed infrastructure • Connected through wireless links • No centralized control • Multi-hop routing • Great potential for a number of new self-managing applications • Characteristics • Inadequate physical protection • Node compromise may be more common • Mobile routing topology • No single traffic concentration point • Gateways, access points, etc. • Resource-constrained capability • Existing security solutions designed for wired networks may have problems Motivation Architecture Case Study

  4. Routing Attack Example: Sinkhole Motivation Architecture Case Study

  5. General Assumption • Reliable Communication Channel • Bi-directional • Free from loss/congestion • Adversary Model • Every node in MANET may be compromised, and with equal probability • We focus on attacks on routing protocols Motivation Architecture Case Study

  6. Attack Analysis in MANET Routing • Traditional attack analysis is based on the knowledge of known incidents. Therefore, it is hard to apply traditional attack analysis in MANET since MANET is a relatively new environment • Our proposed approach: perform taxonomy study on anomalous basic events • Decompose routing behavior into basic events • The smallest set of casually-related operations in a single node • Anomalous basic events are basic events that do not follow the normal protocol behavior • can be used to define a set of basic attacks conducted on a single node • more complicated attacks can be modeled by combinations of anomalous basic events • Taxonomy of anomalous basic events • on the security goals that may be compromised: confidentiality, integrity and availability; and • on the routing elements that may be targeted by attackers: routing and data messages, routing table entries Motivation Architecture Case Study

  7. Taxonomy of Anomalous Basic Events Bold face represents what an IDS agent is currently capable of. Motivation Architecture Case Study

  8. Comparison of Security Solutions • Prevention techniques • Provide authenticated use and data integrity • Con: susceptible to insider attacks, software bugs, etc. • Reputation systems • An alternative concept: selfishness is natural • Incentives are provided to encourage forwarding • Con: only address limited security problem • Intrusion Detection and Response • Capture potential misbehavior in real-time (Detection) • Identify on attack sources (Traceback) • Respond promptly to recover from or minimize damage (Filtering) Motivation Architecture Case Study

  9. IDS Architecture IDS Agent Intrusion Detection Intrusion Response Node-Based Detection Filtering Feature Collection Cooperative Detection Traceback Secure Communication Motivation Architecture Case Study

  10. Feature Collection Based on Routing Protocol Specification • Motivation • Previously, we manually choose features based on domain knowledge and heuristics • A more systematic approach is preferred • Solution: enumerate possible features derived from a protocol specification described in an extended state machine • An Extended Finite State Automaton (EFSA) is a finite-state machine where transitions and states can carry a finite set of arguments. EFSAs can be derived from protocol implementation, RFCs or other specifications • Define behavior on the routing protocol level • Issue: how do we verify the correctness of EFSA? • Case study: AODV (Ad hoc On-demand Distance Vector) Routing Protocol (Perkins’03) Feature Collection Intrusion Detection Intrusion Response

  11. Example • Semantic Violation: Interruption of Data Packets • Statistical Violation: Flooding of Data Packets Valid[ob, oSeq, nHops, nxt] (T10) DATA?[Src, ob] -> if (ob!=cur) DATA![Src, ob, nxt] Feature Collection Intrusion Detection Intrusion Response

  12. Two Detection Approaches • Target different anomalous basic events • Specification-based detection • Detect violations to the EFSA specification • High accuracy assuming that the specification correctly models all normal behavior in semantics • Statistics-based detection • Many attacks do not violate the specification directly • The statistics-based approach, equipped with machine learning tools, can detect abnormal statistical patterns • Statistical features are extracted from states and transitions of EFSA. • Misuse detection vs. anomaly detection Feature Collection Intrusion Detection Intrusion Response

  13. Anomalous Basic Events Revisited Underlined categories are covered by the specification-based approach Feature Collection Intrusion Detection Intrusion Response

  14. Feature Selection • Learning-based approaches do not work well with a large number of features • A filter approach based on labeled data • Start with the empty set • Add a new feature fi • that maximizes the relative entropy of two distrbution functions P(C|G) and P(C|G{f}) • Until the relative entropy is insignificant • Efficient in practice Go= {} Gi+1= Gi{f} Feature Collection Intrusion Detection Intrusion Response

  15. Node-Based Detection vs. Cooperative Detection • Node-based detection • IDS agents operate on every MANET node • The only reliable features are those collected by the local feature collection module • Most secure and reliable. But may suffer from • ineffectiveness due to inconclusive evidence • inefficiency due to redundant feature computation • Cluster-based detection • Group nodes into clusters. Each cluster has certain number of special nodes, or clusterheads • Only a clusterhead runs the IDS agent to monitor for the whole neighborhood • Limitation: best-effort service • Design Criteria • Fairness: Don’t elect me, too much work! • Security: Control the clusterheads, control everything! • Classical cluster protocols do not satisfy these requirements • min ID • max degree Feature Collection Intrusion Detection Intrusion Response

  16. Cluster Formation Protocol • Start with clique computation • Each clique member chooses a random input ri and broadcasts the input • Each member independently computes the initial seed by XOR-ing all inputs • XOR function guarantees the output to be random as long as at least one input is truly random • In fact, inputs are broadcast through a two-round protocol to avoid a delayed-response attack • A sequence of m clusterheads is generated using PRNG • A consistency protocol ensures that the same clusterheads are elected through role acknowledgement • Clustheads are re-elected after a certain timeout H(r1,r2,…rn)=⊕ri Feature Collection Intrusion Detection Intrusion Response

  17. Discussion • Fairness Concern • Clusterhead Computation: short-term fairness • Periodical re-election: long-term fairness • Security Concern • Defend against clusterhead compromise • Short-term and long-term fairness • Mutual monitoring • Defend against attacks on the consistency protocol • A node can refuse to participate until it is elected • A node can refuse to be a clusterhead but join the same (or another) cluster later • Detecting these attacks may be complicated due to node mobility • Improved version • A retreat counter is recorded on every member for every other members • Meeting certain threshold is considered an violation • Retreat counter is reset periodically Feature Collection Intrusion Detection Intrusion Response

  18. Cluster-Based Detection Models • Similar approaches can be applied • Specification-based • Statistics-based • Feature collection • A randomly chosen cluster member computes the necessary features at every sampling period • Reduce redundant feature computation • Communication overhead may be further reduced by having “common” features computed directly by the clusterhead • Clusterhead-controlled features • Capable of developing new detection rules that involve features from multiple nodes Feature Collection Intrusion Detection Intrusion Response

  19. IP Traceback • What about IP spoofing? • IDS detects attacks based on behavior, but taking proper countermeasures would be hard without knowing the true identities of attack sources • A proper authentication system in place may solve the problem, but it is not universally available • Traditional traceback solutions are unsuitable • Hop-by-hop tracing requires collaborative routers and knowledge about global topology • Packet marking and ICMP traceback require static routes Feature Collection Intrusion Detection Intrusion Response

  20. Hotspot-Based Traceback Protocol • Fully distributed, working in mobile topology and with arbitrary number of compromised nodes • Based on the hash-based traceback (Snoeren’01) • Use Bloom Filters to store the packet digest whenever a packet was forwarded • Extend from the original Bloom Filter • Store TTL along with each stored packet • Reconstruct original attack path based on replies with the additional information • Resilient from malicious routers and inaccurate TTL • Detect “hotspots” where adversaries are contained Feature Collection Intrusion Detection Intrusion Response

  21. Packet Filtering • Currently focus on filtering a single attack flow • End-host filtering • Stop selective flows based on source addresses • Effective only when flows are not spoofed • Fast filtering • Rely on Hotspot-based Traceback • Filter on intermediate routers in the attack path • Optimize with linear programming • Maximize attack packet dropping rate • Minimize normal packet dropping rate Feature Collection Intrusion Detection Intrusion Response

  22. Conclusions & Future Work • Intrusion detection and response is a critical security component in MANET • We propose a new MANET IDS architecture • Working under the specific assumptions based on the MANET characteristics • Highly effective in detecting well-known routing attacks • Future work • Improve feature selection approaches • Verification of • EFSA specification • Cluster Formation Protocol • Hotspot-Based Traceback Protocol

More Related