intrusion detection on manets
Skip this Video
Download Presentation
Intrusion Detection on Manets

Loading in 2 Seconds...

play fullscreen
1 / 22

Intrusion Detection on Manets - PowerPoint PPT Presentation

  • Uploaded on

Intrusion Detection on Manets. Kulesh Shanmugasundaram [email protected] SYN. SYN Overview of Manets Overview of IDS Problems of Current Techniques Research Challenges Proposed Solutions Conclusion FIN. Manets. How Ad-Hoc is Ad-Hoc? No, really? Mechanics of Manets

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Intrusion Detection on Manets' - omar

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
  • SYN
  • Overview of Manets
  • Overview of IDS
  • Problems of Current Techniques
  • Research Challenges
  • Proposed Solutions
  • Conclusion
  • FIN
  • How Ad-Hoc is Ad-Hoc?
    • No, really?
  • Mechanics of Manets
    • Auto-configuration (zeroconf, ipng)
      • Nodes should be able to configure themselves when they join a “community” (e.g. choosing names, locating services)
      • Mechanics of configuration should be transparent to applications
    • Routing (manet)
      • Table driven vs. on-demand algorithms
      • Performance depend on topology, density, size, mobility etc.
      • So, it is hard to agree upon a standard
    • Applications
      • We really don’t know
    • Security (manet)
      • Security of operations (e.g. integrity of routing mechanisms etc.)
      • Physical security of nodes (e.g. lost devices, tampering etc.)
      • Who is the weakest link? (network is as secure as the weakest link)
vulnerabilities of manets
Vulnerabilities of Manets
  • Vulnerabilities accentuated by manet context
    • Access Control
      • Lack of physical boundary/packet boundary
      • Shared, open broadcast medium
      • E.g. IP masquerading, passive eavesdropping, DoS
  • Vulnerabilities specific to manets
    • Trust
      • Lack of trust in the underlying infrastructure
      • Collaborative participation of networks is mandatory for routing and auto-configuration
      • E.g. Refusal of Service (RoS), Emission of false information, Sleep-deprivation torture, DoS on MAC, DAD
  • Homework
    • List at least 5 properties of manets that accentuate security vulnerabilities?
    • Explain how they impact security, with examples.
intrusion detection systems
Intrusion Detection Systems
  • Attempts to detect intrusions on autonomous systems e.g: computer networks
  • Based on Deployment
    • Host Based (HIDS) (e.g. ZoneAlarm)
      • Uses hosts’ audit logs & visible traffic for intrusion detection
    • Network Based (NIDS) (e.g. NFR)
      • Uses substantial network traffic for intrusion detection
  • Based on Techniques
    • Anomaly Detection (e.g. use of normal profile)
    • Misuse Detection (e.g. use of attack signatures)
    • Specification Based (e.g. monitor invariants for violations)
    • Policy Based (e.g. monitor policy violations)
requirements of an ids on manets
Requirements of an IDS on Manets
  • Not introduce a new weakness
    • Anomaly detection system itself should not make the node weaker than it already is (e.g. listening in promiscuous mode)
  • Need little system resources
    • In general nodes on manets have stringent requirements on resources (e.g. may not be able to run complex detection algorithms)
  • Have proper response for detections
    • An IDS should not only detect but also should response to the detected intrusions, preferably without human intervention (e.g. modify firewall to avoid attacking hosts etc.)
  • Be reliable
    • Fewer false positives, as there is no extensive crisis control infrastructure to handle alarms
  • Interoperable with other IDS
    • Be able to collaborate with other nodes for detection or response (e.g. use standards )
problems of current techniques
Problems of Current Techniques
  • Lack of traffic convergence points
    • Prohibits the use of NIDS, Firewalls, Policies etc.
  • Lack of available data at hosts
    • ID algorithms have to work with “partial and localized information” in and around the radio range of hosts
  • Lack of communication among nodes
    • Disconnected operations
    • Location dependent computing
  • Lack of standards
    • Lack of protocol standards
    • |signatures|=|protocols|*|vulnerabilities|*|topologies|
    • Lack of understanding of applications
research challenges 1
Research Challenges[1]
  • What is a good system architecture for building intrusion detection and response systems for manets?
  • What are appropriate audit data sources?
  • How do we detect anomalies based on partial, localized data– if they are the only reliable data sources?
  • What is a good model of activities in a manet that can separate anomaly when under attacks from the normalcy?
  • Can we improve routing, zero-conf protocols to support intrusion detection systems?
anomaly detection in general

A Learning




Anomaly Detection In General
  • Pick a learning algorithm
  • Pick some features
  • Train the algorithm
  • Test the algorithm
  • Tune the algorithm, features
  • Go to 3
anomaly detection on manets
Anomaly Detection on Manets
  • Arguments for Anomaly Detection on Manets
    • One too many signatures to maintain for a misuse detection systems
    • Keeping the signatures up to date is a bigger problem
    • Lack of centralized management and monitoring points makes policy based systems difficult and also policies among communities may be incompatible
    • Specification based systems may work but no one tried it, AFAIK
  • Arguments Against Anomaly Detection on Manets
    • There may not be a clear separation between normalcy and anomaly (e.g. emission of false routing information)
    • There may not be enough data for anomaly detection systems (e.g. disconnected operations, lack of communication in general)
    • Processing, memory requirements for anomaly detection are relatively high and nodes may not be able to cope up with the requirements
    • Hasn’t proven itself useful in fixed networks (IMHO)
proposed system architecture
local response

global response

local detectionengine

global detection


local datacollection



system calls, communications

activities etc.

neighboringIDS agents

Proposed System Architecture
anomaly detection on manets13
Anomaly Detection on Manets
  • The Goal
    • Find most useful (features, algorithm) for anomaly detection on manets and using feedback alter routing algorithms to better support anomaly detection
    • Results in best combination of (routing, features, model)
  • The Process
    • Choose a routing algorithm
    • Choose some features
    • Choose a modeling algorithm
    • Train, test detection model and refine features
    • Feedback to alter the routing algorithm
proposed process
Proposed Process
  • PCR= Percentage of Changed Routes
  • PCH= Percentage of Changes of sum of Hops of all routes
  • Training process simulate diversity of normal situations and trace data is gathered
  • A detection model trained on this data can work on any node
  • Computing the normal profile
    • Denote PCR the class
    • Also, denote distance, direction, velocity, and PCH the features
    • Use n classes to represent the PCR ranges
    • Apply a classification algorithm to learn a classifier for PCR
    • Repeat the process to learn a classifier for PCH
classification algorithm
Classification Algorithm
  • Given a set of features describing a concept classification algorithms output classification rules (a.k.a classifier)
  • For example, when using PCR, given the features output would be:

if(distance < 0.5 && velocity < 3) PCR = 2

else if (velocity > 5 && PCH < 10) PCR = 6

  • Confidence = (|condition && conclusion|)(|condition|)
  • Classification rule set of PCR, PCH together forms the normal profile of the manet
process of anomaly detection
Process of Anomaly Detection
  • Training & Testing
    • Feed the trace data to classification algorithm
    • Compute confidence for all classification rules
    • Compute PCR, PCH deviation scores PCRD, PCHD
    • Assign classes {normal, abnormal} for (PCHD, PCRD)
    • Use a classification/clustering algorithm on (PCHD, PCRD, Class) to compute a classifier
    • Refine the models
  • Deviation (PCRD, PCHD) is measured by the confidence value of violated classification rule
  • Combination of classification algorithms (2,5) is used on hosts for anomaly detection
process of anomaly detection17
Process of Anomaly Detection



Detection Model




multi layer integrated ids
Multi-Layer Integrated IDS
  • An obvious next step
  • Discussed a common process for anomaly detection on manets
  • Discussed an architecture for the system
  • Anyone interested in furthering this work:
    • Find realistic data set (DNE)
    • Brainstorm for proper feature set
    • Pick a learning algorithm (lots of tools)
    • And the 3T’s (train, test, tune)
    • Just don’t over fit or over tune
  • Intrusion Detection in Wireless Ad-Hoc Networks, Zhang, Yongguang, Lee, Wenke, MobiCom 2000
  • Security in Ad-Hoc Networks: A General Intrusion Detection Architecture Enhancing Trust Based Approaches, Albers, Patrick, Camp, Olivier et. al., International Workshop on Wireless Information Systems 2002
  • RFC2460, IETF Standards Document 1998
  • RFC2051, IETF Draft Document 2000
  • Zero Configuration Networking, Internet Draft 2002
  • List at least 5 properties of manets that accentuate security vulnerabilities and explain how they impact security with examples.
  • List a set of features and how they can be used for anomaly detection on manets based on following protocols:
    • DSDV
    • DSR
    • AODV
  • Due 29th October?

Questions, Comments, Concerns…