protecting mobile ad hoc network routing infrastructure with intrusion detection systems n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Protecting Mobile Ad Hoc Network Routing Infrastructure with Intrusion Detection Systems PowerPoint Presentation
Download Presentation
Protecting Mobile Ad Hoc Network Routing Infrastructure with Intrusion Detection Systems

Loading in 2 Seconds...

play fullscreen
1 / 22

Protecting Mobile Ad Hoc Network Routing Infrastructure with Intrusion Detection Systems - PowerPoint PPT Presentation


  • 145 Views
  • Uploaded on

Protecting Mobile Ad Hoc Network Routing Infrastructure with Intrusion Detection Systems. Yi-an Huang and Wenke Lee College of Computing Georgia Institute of Technology. Outline. Motivation and Attack Analysis on Mobile Ad Hoc Networks IDS Design Intrusion Detection

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Protecting Mobile Ad Hoc Network Routing Infrastructure with Intrusion Detection Systems' - red


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
protecting mobile ad hoc network routing infrastructure with intrusion detection systems

Protecting Mobile Ad Hoc Network Routing Infrastructure with Intrusion Detection Systems

Yi-an Huang and Wenke Lee

College of Computing

Georgia Institute of Technology

outline
Outline
  • Motivation and Attack Analysis on Mobile Ad Hoc Networks
  • IDS Design
    • Intrusion Detection
      • Architecture: Node-based vs. cluster-based
      • Approach: Specification-based vs. statistics-based
    • Intrusion Response: Traceback and Filtering
  • Future Work
    • Better machine learning approaches
    • Verification of protocol state machine and distributed protocols
mobile ad hoc networks manet
Mobile Ad Hoc Networks (MANET)
  • Concepts
    • Mobile hosts with no fixed infrastructure
    • Connected through wireless links
    • No centralized control
    • Multi-hop routing
    • Great potential for a number of new self-managing applications
  • Characteristics
    • Inadequate physical protection
      • Node compromise may be more common
    • Mobile routing topology
    • No single traffic concentration point
      • Gateways, access points, etc.
    • Resource-constrained capability
    • Existing security solutions designed for wired networks may have problems

Motivation Architecture Case Study

routing attack example sinkhole
Routing Attack Example: Sinkhole

Motivation Architecture Case Study

general assumption
General Assumption
  • Reliable Communication Channel
    • Bi-directional
    • Free from loss/congestion
  • Adversary Model
    • Every node in MANET may be compromised, and with equal probability
    • We focus on attacks on routing protocols

Motivation Architecture Case Study

attack analysis in manet routing
Attack Analysis in MANET Routing
  • Traditional attack analysis is based on the knowledge of known incidents. Therefore, it is hard to apply traditional attack analysis in MANET since MANET is a relatively new environment
  • Our proposed approach: perform taxonomy study on anomalous basic events
    • Decompose routing behavior into basic events
      • The smallest set of casually-related operations in a single node
    • Anomalous basic events are basic events that do not follow the normal protocol behavior
      • can be used to define a set of basic attacks conducted on a single node
      • more complicated attacks can be modeled by combinations of anomalous basic events
  • Taxonomy of anomalous basic events
    • on the security goals that may be compromised: confidentiality, integrity and availability; and
    • on the routing elements that may be targeted by attackers: routing and data messages, routing table entries

Motivation Architecture Case Study

taxonomy of anomalous basic events
Taxonomy of Anomalous Basic Events

Bold face represents what an IDS agent is currently capable of.

Motivation Architecture Case Study

comparison of security solutions
Comparison of Security Solutions
  • Prevention techniques
    • Provide authenticated use and data integrity
    • Con: susceptible to insider attacks, software bugs, etc.
  • Reputation systems
    • An alternative concept: selfishness is natural
    • Incentives are provided to encourage forwarding
    • Con: only address limited security problem
  • Intrusion Detection and Response
    • Capture potential misbehavior in real-time (Detection)
    • Identify on attack sources (Traceback)
    • Respond promptly to recover from or minimize damage (Filtering)

Motivation Architecture Case Study

ids architecture
IDS Architecture

IDS Agent

Intrusion Detection

Intrusion Response

Node-Based

Detection

Filtering

Feature

Collection

Cooperative

Detection

Traceback

Secure

Communication

Motivation Architecture Case Study

feature collection based on routing protocol specification
Feature Collection Based on Routing Protocol Specification
  • Motivation
    • Previously, we manually choose features based on domain knowledge and heuristics
    • A more systematic approach is preferred
  • Solution: enumerate possible features derived from a protocol specification described in an extended state machine
    • An Extended Finite State Automaton (EFSA) is a finite-state machine where transitions and states can carry a finite set of arguments. EFSAs can be derived from protocol implementation, RFCs or other specifications
    • Define behavior on the routing protocol level
    • Issue: how do we verify the correctness of EFSA?
  • Case study: AODV (Ad hoc On-demand Distance Vector) Routing Protocol (Perkins’03)

Feature Collection Intrusion Detection Intrusion Response

example
Example
  • Semantic Violation: Interruption of Data Packets
  • Statistical Violation: Flooding of Data Packets

Valid[ob, oSeq, nHops, nxt]

(T10)

DATA?[Src, ob] ->

if (ob!=cur) DATA![Src, ob, nxt]

Feature Collection Intrusion Detection Intrusion Response

two detection approaches
Two Detection Approaches
  • Target different anomalous basic events
  • Specification-based detection
    • Detect violations to the EFSA specification
    • High accuracy assuming that the specification correctly models all normal behavior in semantics
  • Statistics-based detection
    • Many attacks do not violate the specification directly
    • The statistics-based approach, equipped with machine learning tools, can detect abnormal statistical patterns
    • Statistical features are extracted from states and transitions of EFSA.
    • Misuse detection vs. anomaly detection

Feature Collection Intrusion Detection Intrusion Response

anomalous basic events revisited
Anomalous Basic Events Revisited

Underlined categories are covered by the specification-based approach

Feature Collection Intrusion Detection Intrusion Response

feature selection
Feature Selection
  • Learning-based approaches do not work well with a large number of features
  • A filter approach based on labeled data
  • Start with the empty set
  • Add a new feature fi
    • that maximizes the relative entropy of two distrbution functions P(C|G) and P(C|G{f})
    • Until the relative entropy is insignificant
  • Efficient in practice

Go= {}

Gi+1= Gi{f}

Feature Collection Intrusion Detection Intrusion Response

node based detection vs cooperative detection
Node-Based Detection vs. Cooperative Detection
  • Node-based detection
    • IDS agents operate on every MANET node
    • The only reliable features are those collected by the local feature collection module
    • Most secure and reliable. But may suffer from
      • ineffectiveness due to inconclusive evidence
      • inefficiency due to redundant feature computation
  • Cluster-based detection
    • Group nodes into clusters. Each cluster has certain number of special nodes, or clusterheads
    • Only a clusterhead runs the IDS agent to monitor for the whole neighborhood
    • Limitation: best-effort service
  • Design Criteria
    • Fairness: Don’t elect me, too much work!
    • Security: Control the clusterheads, control everything!
    • Classical cluster protocols do not satisfy these requirements
      • min ID
      • max degree

Feature Collection Intrusion Detection Intrusion Response

cluster formation protocol
Cluster Formation Protocol
  • Start with clique computation
  • Each clique member chooses a random input ri and broadcasts the input
  • Each member independently computes the initial seed by XOR-ing all inputs
    • XOR function guarantees the output to be random as long as at least one input is truly random
    • In fact, inputs are broadcast through a two-round protocol to avoid a delayed-response attack
  • A sequence of m clusterheads is generated using PRNG
  • A consistency protocol ensures that the same clusterheads are elected through role acknowledgement
  • Clustheads are re-elected after a certain timeout

H(r1,r2,…rn)=⊕ri

Feature Collection Intrusion Detection Intrusion Response

discussion
Discussion
  • Fairness Concern
    • Clusterhead Computation: short-term fairness
    • Periodical re-election: long-term fairness
  • Security Concern
    • Defend against clusterhead compromise
      • Short-term and long-term fairness
      • Mutual monitoring
    • Defend against attacks on the consistency protocol
      • A node can refuse to participate until it is elected
      • A node can refuse to be a clusterhead but join the same (or another) cluster later
      • Detecting these attacks may be complicated due to node mobility
      • Improved version
        • A retreat counter is recorded on every member for every other members
        • Meeting certain threshold is considered an violation
        • Retreat counter is reset periodically

Feature Collection Intrusion Detection Intrusion Response

cluster based detection models
Cluster-Based Detection Models
  • Similar approaches can be applied
    • Specification-based
    • Statistics-based
  • Feature collection
    • A randomly chosen cluster member computes the necessary features at every sampling period
      • Reduce redundant feature computation
      • Communication overhead may be further reduced by having “common” features computed directly by the clusterhead
    • Clusterhead-controlled features
      • Capable of developing new detection rules that involve features from multiple nodes

Feature Collection Intrusion Detection Intrusion Response

ip traceback
IP Traceback
  • What about IP spoofing?
    • IDS detects attacks based on behavior, but taking proper countermeasures would be hard without knowing the true identities of attack sources
    • A proper authentication system in place may solve the problem, but it is not universally available
  • Traditional traceback solutions are unsuitable
    • Hop-by-hop tracing requires collaborative routers and knowledge about global topology
    • Packet marking and ICMP traceback require static routes

Feature Collection Intrusion Detection Intrusion Response

hotspot based traceback protocol
Hotspot-Based Traceback Protocol
  • Fully distributed, working in mobile topology and with arbitrary number of compromised nodes
  • Based on the hash-based traceback (Snoeren’01)
    • Use Bloom Filters to store the packet digest whenever a packet was forwarded
  • Extend from the original Bloom Filter
    • Store TTL along with each stored packet
  • Reconstruct original attack path based on replies with the additional information
    • Resilient from malicious routers and inaccurate TTL
  • Detect “hotspots” where adversaries are contained

Feature Collection Intrusion Detection Intrusion Response

packet filtering
Packet Filtering
  • Currently focus on filtering a single attack flow
  • End-host filtering
    • Stop selective flows based on source addresses
      • Effective only when flows are not spoofed
  • Fast filtering
    • Rely on Hotspot-based Traceback
    • Filter on intermediate routers in the attack path
    • Optimize with linear programming
      • Maximize attack packet dropping rate
      • Minimize normal packet dropping rate

Feature Collection Intrusion Detection Intrusion Response

conclusions future work
Conclusions & Future Work
  • Intrusion detection and response is a critical security component in MANET
  • We propose a new MANET IDS architecture
    • Working under the specific assumptions based on the MANET characteristics
    • Highly effective in detecting well-known routing attacks
  • Future work
    • Improve feature selection approaches
    • Verification of
      • EFSA specification
      • Cluster Formation Protocol
      • Hotspot-Based Traceback Protocol