A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks

TRUST, Berkeley Meetings, March 19-21, 2007

A Distributed Intrusion Detection System for Resource-Constrained

Devices in Ad Hoc Networks

Adrian P. Lauf, Richard A. Peters and William H. Robinson

April 2-3, 2008


Outline

Motivation

Methods

Results

Application to SCADA

"A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson 2April 2-3, 2008


Outline

Motivation

Methods

Results




What is HybrIDS?

Hybrid, Distributed, Embedd-able IDS: (HybrIDS)

Identify deviant activity on ad-hoc network

Distributed implementation strategy

Utilize multiple detection strategies

– Zero-knowledge phase– Calibration-based phase

Function on resource-constrained devices

Integrate with SCADA (Supervisory Control And Data Acquisition) networks



Why HybrIDS for SCADA?

SCADA implementations are becoming increasingly less localized

Wireless and IP-based networks present a significant security vulnerability

Sensor/Actuator nodes have no inherent security built in

Designed with scalability in mind



Why is HybrIDS different?

It is decentralized– Reduce dependence on a single system– Reduce power consumption

Reduce compute-intensive operations

– Allows for group consensus decisions Each unit maintains a model of the world

– Reduces chance of tampering with a centralized system It is resource constrained

– Runs well on embedded Linux platforms It is portable

– Uses abstraction to eliminate context exclusivity– Coded in Java for enhanced portability

It is adaptable– HybrIDS can abstract many ad-hoc network scenarios:

Autonomous aircraft networks and avionic protocols (ADS-B) Swarm-based microrobotics Self-contained sensor nodes



What can HybrIDS do?

Identify single or multiple anomalies on an ad-hoc network

Adaptable to various attack configurations– DOS– Timed attacks– Command injection– Network disruption

Locate deviant nodes with zero prior knowledge of system architecture

Adapt to system changes in a scalable manner



Outline

Motivation

Methods

Results




Simplifying by Abstraction

Node interactions classified by labels

Interaction histories recorded– Each node maintains action

histories from its point of view Abstraction permits context

independence– Applicable to any system using

predetermined actions

Action 1

Action n-1

Action n

Node 1 1 30 25

Node 2 2 32 20

Node 3 1 50 22

Node 4 12 2 80

April 2-3, 2008


Why a hybrid approach?

Phase 1 requires no training data

Can isolate a single anomaly

Phase 2 requires training data

Can detect multiple anomalies

More flexible to system changes

Phase 1Phase 1 Phase 2Phase 2

Time Progression

April 2-3, 2008


Detection Method: Maxima Analysis: Setup

Histograms formed for each connected node

– Node A will track B, C, and D.

Average system behavior obtained by averaging across observed nodes

Bins correspond to action labels

Data must be normalized to a distribution

– E.g. Gaussian, Chi2 Σ/(n-1)

Labels

.

.

.

.

.

Nod

es

Avg. behavioral PDF for system

April 2-3, 2008


Maxima Detection Algorithm

Resultant vector yields approximate PDF

Find global maximum, exclude it

Identify, mark local maxima

Local maximum yields likely intrusion-motivated behaviors

Reverse-map this label to node with most frequent occurrence

12April 2-3, 2008


Detection Method: Cross-correlation

13

Labels

.

.

.

.

.

Nod

es

Σ/(

n-1)

13

= Score

Average PDF

April 2-3, 2008


Score Analysis

Average score is computed

Each score is compared to the average

Deviance determined by a threshold

Threshold S

etting

Threshold Bounds Node Number

Sco

re

Mean Score LineSuspected Deviant Node

April 2-3, 2008


Threshold Requirements

Threshold varies for each scenario– Representative of a percentage deviation required

for suspicion of a node

Variability of thresholds is a weakness of CCIDS

Can cause generation of false positives– Reduced by selecting proper threshold– Minimal baseline threshold is possible – system

may never converge

April 2-3, 2008


Required Thresholds for Proper Detection (CCIDS)

Deviant node pervasion yields linear change in threshold

Number of nodes has negligible impact on threshold requirements

0.2 represents 100% deviation in this figure

– Detects only nodes that vary significantly

0.02 represents a 10% deviation

– More sensitive to smaller node deviations

April 2-3, 2008


Selecting Detection Phases

HybridState objectdetermines if transitionpoint has been reached

If one of the results from CCIDS matches a suspectednode from MDS, a matchis considered found

April 2-3, 2008


Transitioning between phases

Increasing the deviant node pervasion requires more tuning cycles

Threshold adjusted once per tuning cycle

Figure represents an average for all node sizes– # transition cycles is

independent of node cluster size

April 2-3, 2008


HybrIDS Implementation

Implemented in Java 5 (1.5)– Introduces Code Portability

ARM9 development board target 2.73 KB memory footprint for a

35-agent system with 10 behaviors

– MDS and CCIDS use a shared data structure

Storage footprint less than 46 KB

Flexible interface implementation

– TCP/UDP for network interface– Disk-based access for

simulation– RS-232/Serial interface

possible

April 2-3, 2008


Outline

Motivation

Methods

Results




Analysis of HybrIDS Performance

HybrIDS can reliably detect deviant nodes upto 22% pervasion

25% pervasion and up removes element of determinacy

Scalability by percentage pervasion

Number of nodes in cluster does not affect scalability concerns

Graph includes total time – MDS, transition and CCIDS cycles

April 2-3, 2008


Operational Footprint

HybrIDS with its JVM uses 5MB of application memory (Linux 2.6.22)

Maximum power requirement is 5 watts + idle power of ARM9 platform



Outline

Motivation

Methods

Results




HybrIDS and SCADA

HybrIDS is optimized for homogeneous ad-hoc networks

While heterogenous, SCADA contains homogeneous components that can exploit HybrIDS’s potential

HybrIDS can operate on RTU nodes within SCADA infrastructure



HybrIDS and SCADA (cont’d)

SCADA is migrating increasingly to vulnerable network infrastructures– WAN– WLAN

HybrIDS can be used to detect attack methods on these networks– DDOS and packet drops alter interaction request

frequencies– Targeting of a specific node is easily detected by

multiple HybrIDS-enabled nodes



Conclusion

HybrIDS provides a flexible IDS framework for ad-hoc networks

Distributed nature allows for seamless integration and reliability

Can easily integrate into existing frameworks, such as SCADA

Offers scalable performance for multiple anomaly detection


ARM9 Development Platform

Documents

A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks