a distributed intrusion detection system for resource constrained devices in ad hoc networks n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks PowerPoint Presentation
Download Presentation
A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks

Loading in 2 Seconds...

play fullscreen
1 / 26

A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks - PowerPoint PPT Presentation


  • 90 Views
  • Uploaded on

A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks. Adrian P. Lauf , Richard A. Peters and William H. Robinson. April 2-3, 2008. Outline. Motivation Methods Results Application to SCADA. April 2-3, 2008. Outline. Motivation Methods Results

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks' - marlee


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
a distributed intrusion detection system for resource constrained devices in ad hoc networks

A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks

Adrian P. Lauf, Richard A. Peters and William H. Robinson

April 2-3, 2008

outline
Outline
  • Motivation
  • Methods
  • Results
  • Application to SCADA

"A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson

April 2-3, 2008

outline1
Outline
  • Motivation
  • Methods
  • Results
  • Application to SCADA

"A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson

April 2-3, 2008

what is hybrids
What is HybrIDS?
  • Hybrid, Distributed, Embedd-able IDS: (HybrIDS)
  • Identify deviant activity on ad-hoc network
  • Distributed implementation strategy
  • Utilize multiple detection strategies
    • Zero-knowledge phase
    • Calibration-based phase
  • Function on resource-constrained devices
  • Integrate with SCADA (Supervisory Control And Data Acquisition) networks

"A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson

April 2-3, 2008

why hybrids for scada
Why HybrIDS for SCADA?
  • SCADA implementations are becoming increasingly less localized
  • Wireless and IP-based networks present a significant security vulnerability
  • Sensor/Actuator nodes have no inherent security built in
  • Designed with scalability in mind

"A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson

April 2-3, 2008

why is hybrids different
Why is HybrIDS different?
  • It is decentralized
    • Reduce dependence on a single system
    • Reduce power consumption
      • Reduce compute-intensive operations
    • Allows for group consensus decisions
      • Each unit maintains a model of the world
    • Reduces chance of tampering with a centralized system
  • It is resource constrained
    • Runs well on embedded Linux platforms
  • It is portable
    • Uses abstraction to eliminate context exclusivity
    • Coded in Java for enhanced portability
  • It is adaptable
    • HybrIDS can abstract many ad-hoc network scenarios:
      • Autonomous aircraft networks and avionic protocols (ADS-B)
      • Swarm-based microrobotics
      • Self-contained sensor nodes

"A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson

April 2-3, 2008

what can hybrids do
What can HybrIDS do?
  • Identify single or multiple anomalies on an ad-hoc network
  • Adaptable to various attack configurations
    • DOS
    • Timed attacks
    • Command injection
    • Network disruption
  • Locate deviant nodes with zero prior knowledge of system architecture
  • Adapt to system changes in a scalable manner

"A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson

April 2-3, 2008

outline2
Outline
  • Motivation
  • Methods
  • Results
  • Application to SCADA

"A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson

April 2-3, 2008

simplifying by abstraction
Simplifying by Abstraction
  • Node interactions classified by labels
  • Interaction histories recorded
    • Each node maintains action histories from its point of view
  • Abstraction permits context independence
    • Applicable to any system using predetermined actions

April 2-3, 2008

why a hybrid approach
Why a hybrid approach?
  • Phase 1 requires no training data
  • Can isolate a single anomaly
  • Phase 2 requires training data
  • Can detect multiple anomalies
  • More flexible to system changes

Phase 1

Phase 2

Time Progression

April 2-3, 2008

detection method maxima analysis setup
Detection Method: Maxima Analysis: Setup

Labels

  • Histograms formed for each connected node
    • Node A will track B, C, and D.
  • Average system behavior obtained by averaging across observed nodes
  • Bins correspond to action labels
  • Data must be normalized to a distribution
    • E.g. Gaussian, Chi2

Nodes

.

.

.

.

.

Σ/(n-1)

Avg. behavioral PDF for system

April 2-3, 2008

maxima detection algorithm
Maxima Detection Algorithm
  • Resultant vector yields approximate PDF
  • Find global maximum, exclude it
  • Identify, mark local maxima
  • Local maximum yields likely intrusion-motivated behaviors
  • Reverse-map this label to node with most frequent occurrence

April 2-3, 2008

detection method cross correlation
Detection Method: Cross-correlation

Labels

Nodes

.

.

.

.

.

Σ/(n-1)

Average PDF

= Score

13

April 2-3, 2008

score analysis
Score Analysis
  • Average score is computed
  • Each score is compared to the average
  • Deviance determined by a threshold

Suspected Deviant Node

Mean Score Line

Threshold Setting

Score

Threshold Bounds

Node Number

April 2-3, 2008

threshold requirements
Threshold Requirements
  • Threshold varies for each scenario
    • Representative of a percentage deviation required for suspicion of a node
  • Variability of thresholds is a weakness of CCIDS
  • Can cause generation of false positives
    • Reduced by selecting proper threshold
    • Minimal baseline threshold is possible – system may never converge

April 2-3, 2008

required thresholds for proper detection ccids
Required Thresholds for Proper Detection (CCIDS)
  • Deviant node pervasion yields linear change in threshold
  • Number of nodes has negligible impact on threshold requirements
  • 0.2 represents 100% deviation in this figure
    • Detects only nodes that vary significantly
  • 0.02 represents a 10% deviation
    • More sensitive to smaller node deviations

April 2-3, 2008

selecting detection phases
Selecting Detection Phases

HybridState object

determines if transition

point has been reached

If one of the results from

CCIDS matches a suspected

node from MDS, a match

is considered found

April 2-3, 2008

transitioning between phases
Transitioning between phases
  • Increasing the deviant node pervasion requires more tuning cycles
  • Threshold adjusted once per tuning cycle
  • Figure represents an average for all node sizes
    • # transition cycles is independent of node cluster size

April 2-3, 2008

hybrids implementation
HybrIDS Implementation
  • Implemented in Java 5 (1.5)
    • Introduces Code Portability
  • ARM9 development board target
  • 2.73 KB memory footprint for a 35-agent system with 10 behaviors
    • MDS and CCIDS use a shared data structure
  • Storage footprint less than 46 KB
  • Flexible interface implementation
    • TCP/UDP for network interface
    • Disk-based access for simulation
    • RS-232/Serial interface possible

April 2-3, 2008

outline3
Outline
  • Motivation
  • Methods
  • Results
  • Application to SCADA

"A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson

April 2-3, 2008

analysis of hybrids performance
Analysis of HybrIDS Performance
  • HybrIDS can reliably detect deviant nodes upto 22% pervasion
  • 25% pervasion and up removes element of determinacy
  • Scalability by percentage pervasion
  • Number of nodes in cluster does not affect scalability concerns
  • Graph includes total time – MDS, transition and CCIDS cycles

April 2-3, 2008

operational footprint
Operational Footprint
  • HybrIDS with its JVM uses 5MB of application memory (Linux 2.6.22)
  • Maximum power requirement is 5 watts + idle power of ARM9 platform

"A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson

April 2-3, 2008

outline4
Outline
  • Motivation
  • Methods
  • Results
  • Application to SCADA

"A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson

April 2-3, 2008

hybrids and scada
HybrIDS and SCADA
  • HybrIDS is optimized for homogeneous ad-hoc networks
  • While heterogenous, SCADA contains homogeneous components that can exploit HybrIDS’s potential
  • HybrIDS can operate on RTU nodes within SCADA infrastructure

"A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson

April 2-3, 2008

hybrids and scada cont d
HybrIDS and SCADA (cont’d)
  • SCADA is migrating increasingly to vulnerable network infrastructures
    • WAN
    • WLAN
  • HybrIDS can be used to detect attack methods on these networks
    • DDOS and packet drops alter interaction request frequencies
    • Targeting of a specific node is easily detected by multiple HybrIDS-enabled nodes

"A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson

April 2-3, 2008

conclusion
Conclusion
  • HybrIDS provides a flexible IDS framework for ad-hoc networks
  • Distributed nature allows for seamless integration and reliability
  • Can easily integrate into existing frameworks, such as SCADA
  • Offers scalable performance for multiple anomaly detection

ARM9 Development Platform

"A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson

April 2-3, 2008