Click here to load reader

Applying Intrusion Detection Systems to Wireless …roman/files/roman-ccnc06-transp.pdf · Applying Intrusion Detection Systems to Wireless Sensor NetworksApplying Intrusion Detection

  • View
    216

  • Download
    0

Embed Size (px)

Text of Applying Intrusion Detection Systems to Wireless …roman/files/roman-ccnc06-transp.pdf · Applying...

  • Applying Intrusion Detection Systems to Wireless Sensor NetworksApplying Intrusion Detection Systems to Wireless Sensor Networks

    10 January 2006

    ApplyingApplyingIntrusion Detection SystemsIntrusion Detection Systemsto Wireless Sensor Networksto Wireless Sensor NetworksRodrigo Roman, Jianying Zhou, Javier Lopez

  • Applying Intrusion Detection Systems to Wireless Sensor NetworksApplying Intrusion Detection Systems to Wireless Sensor Networks

    SummarySummary

    Wireless Sensor Networks Intrusion Detection Systems IDS Architecture for Wireless Sensor Networks Conclusions

  • Applying Intrusion Detection Systems to Wireless Sensor NetworksApplying Intrusion Detection Systems to Wireless Sensor Networks

    Wireless Sensor NetworksWireless Sensor Networks

  • Applying Intrusion Detection Systems to Wireless Sensor NetworksApplying Intrusion Detection Systems to Wireless Sensor Networks

    Wireless Sensor Networks (WSN)Wireless Sensor Networks (WSN)

    What? Nodes: Constrained, Sensors, Wireless.

    Dense Network (100 - more...) Nodes = WSN

    Applications Healthcare Environment AmI (Smart Homes) Military ...

  • Applying Intrusion Detection Systems to Wireless Sensor NetworksApplying Intrusion Detection Systems to Wireless Sensor Networks

    Infrastructure Infrastructure Nodes Nodes

    NodesNodesNodes Features:

    8 Mhz, 128Kb Is Battery: 1 year (stand-by) Radio (19.2 250 Kbps)

    Roles:

    Harvesters Routers Distributed Platform

    Base Station

  • Applying Intrusion Detection Systems to Wireless Sensor NetworksApplying Intrusion Detection Systems to Wireless Sensor Networks

    Infrastructure Infrastructure Base StationBase Station

    NodesB.S.: Less Constrained

    Roles: Manager Interface (Data

    Dissemination Network)

    Base StationBase Station

  • Applying Intrusion Detection Systems to Wireless Sensor NetworksApplying Intrusion Detection Systems to Wireless Sensor Networks

    Points of AttackPoints of Attack

    Physical

    Logical

    Node Integrity Channel Integrity Environment Integrity Energy Integrity

    Information Integrity Protocol Integrity Configuration Integrity

    Every Node!

  • Applying Intrusion Detection Systems to Wireless Sensor NetworksApplying Intrusion Detection Systems to Wireless Sensor Networks

    Intrusion Detection SystemsIntrusion Detection Systems

  • Applying Intrusion Detection Systems to Wireless Sensor NetworksApplying Intrusion Detection Systems to Wireless Sensor Networks

    Intrusion Detection SystemsIntrusion Detection Systems

    Intrusion? Set of Actions Unauthorized Access/Alteration

    Detection: Intrusion Detection Systems (IDS)

    - O.S. Logs

    - Applications

    - Network Packets- Anomaly Detection

    - Signature Detection

  • Applying Intrusion Detection Systems to Wireless Sensor NetworksApplying Intrusion Detection Systems to Wireless Sensor Networks

    IDS IDS Wireless NetworksWireless Networks

    Applying IDS to Wireless Networks A real problem

    Wireless Communication, Multiple nodes= Multiple points of attack

    (Usually) IDS Agents inside every node: Constrainedresources

    Specific problems in Wireless Sensor Networks Nodes are even more constrained Highly specialized protocols User/Administrator away from the problems (BS)

  • Applying Intrusion Detection Systems to Wireless Sensor NetworksApplying Intrusion Detection Systems to Wireless Sensor Networks

    IDS and WSN IDS and WSN State of the ArtState of the Art

    Partial Solutions Analysing fluctuations in sensor readings

    Anomaly detection, HMM Attesting the integrity of the code

    Check Is memory but time is what matters! Others: Send (protected) attesting algorithm

    Watching over the information interchange (Watchdog) Expensive for resource constrained nodes

    No general infrastructure Rules, rules, rules

  • Applying Intrusion Detection Systems to Wireless Sensor NetworksApplying Intrusion Detection Systems to Wireless Sensor Networks

    IDS Architecture forIDS Architecture forWireless Sensor NetworksWireless Sensor Networks

  • Applying Intrusion Detection Systems to Wireless Sensor NetworksApplying Intrusion Detection Systems to Wireless Sensor Networks

    Architecture: Architecture: TemplateTemplate

    How it SHOULD be? Separate detection tasks

    Local Agents: Internal Info, Active 100% of the time Global Agents: External Info, Aim for 100% coverage What they should analyse? From what sources?

    Share information between agents Cryptography, voting mechanism (Ad Hoc), trust

    Notify users Base Station Secure Broadcast algorithms (Tesla)

    Optimised Alert database (small disk space) Should have {timestamp, classification, source}

  • Applying Intrusion Detection Systems to Wireless Sensor NetworksApplying Intrusion Detection Systems to Wireless Sensor Networks

    Local AgentsLocal Agents

    - Node Status- Sent/Received Packets- Measurements- Neighbour Information

    - Physical/Logical Integrity- Measurement Integrity- Protocol Integrity- Neighbourhood

    AnalisysSource Data

  • Applying Intrusion Detection Systems to Wireless Sensor NetworksApplying Intrusion Detection Systems to Wireless Sensor Networks

    Local AgentsLocal Agents

    Physical Integrity Nodes are easily accessible: Destroy! Communication channel (Radio) is easily accessible: Jamming! Alert: HW failures, anomaly in communication channels

    Logical Integrity Nodes can be reprogrammed Alert: Programming event (Xnp)

    Measurements Physical attacks (e.g. defective sensors, others [fire temperature sensor, movement accelerometer]) Alert: Anomaly detection systems

  • Applying Intrusion Detection Systems to Wireless Sensor NetworksApplying Intrusion Detection Systems to Wireless Sensor Networks

    Local AgentsLocal Agents

    Protocol Integrity Many protocols (Why? Specialized network)

    = Many attacks (malformed packets, packet injection,) Develop lightweight detection techniques

    Neighbourhood Static networks: Few variations in the network infrastructure Alerts: New nodes, disappearing nodes

    Too much energy usage?

    Analysis (protocols, measurements) open issue

  • Applying Intrusion Detection Systems to Wireless Sensor NetworksApplying Intrusion Detection Systems to Wireless Sensor Networks

    Global AgentsGlobal Agents

    Problem: Energy! Assure:- Balance tasks- Network coverageInformation (Broadcast)

    - Protocol Analysis(Watchdogs)

    Source

    Data

    Analysis

  • Applying Intrusion Detection Systems to Wireless Sensor NetworksApplying Intrusion Detection Systems to Wireless Sensor Networks

    Global AgentsGlobal Agents

    Hierarchical Networks Cluster Head (CH) controls

    its section of the network Global Agent, part of C.H.

    Flat Networks No hierarchy, same nodes Global Agent?

    Spontaneous Watchdog(SW)

    Stronger...

  • Applying Intrusion Detection Systems to Wireless Sensor NetworksApplying Intrusion Detection Systems to Wireless Sensor Networks

    Spontaneous WatchdogsSpontaneous Watchdogs

    Premise: For every packet circulating in the network, there are a set of nodes that are able to receive both that packet and the relayed packet by the next-hop

    Only for dense networks

    Node BNode A

    Node C

    Node D

    One of the nodes will activate its Global Agent:

    Network coverage ( packet covered by [at least] 1 node) Energy savings (detections tasks are distributed over the nodes)

  • Applying Intrusion Detection Systems to Wireless Sensor NetworksApplying Intrusion Detection Systems to Wireless Sensor Networks

    Spontaneous Watchdogs Spontaneous Watchdogs ProcessProcess

    Algorithm Every node receives all packets sent inside its neighbourhood

    (Waste of energy? No: Am I the destination of this packet?) The destination of the packet is in my neighbourhood? Yes: I can be a Spontaneous Watchdog How many nodes are in my situation? (n)

    Need the list of neighbours of all my neighbours Process: Intersect neighbours of sender and receiver = n

    Ej: A {B,C,D}, B {A,C,D} {C,D} Probability of being Spontaneous Watchdog: 1/n

    There is no negotiation process is totally independent

  • Applying Intrusion Detection Systems to Wireless Sensor NetworksApplying Intrusion Detection Systems to Wireless Sensor Networks

    Spontaneous Watchdogs Spontaneous Watchdogs ProblemsProblems

    Situations with no active watchdog! 0 SW : (33%) 0.29 0.36 1 SW : (40%) 0.44 0.36 2 SW : (20%) 0.19 0.22

    Solution: Change (Increase) probabilities

    E.g. : Double probability 0 SW : (7%) 0.04 0.12 Drawback: More than one SW for one packet

    Balance: Security / Energy 05

    10

    15

    20

    25

    30

    35

    40

    45

    50

    0 1 2 3 4 5 6 7 8 9 10

    Number of spontaneous w atchdogs (Nodes)

    Scen

    ario

    pro

    babi

    lity (%

    )

    25 neighbors

    10 neighbors

    5 neighbors

    3 neighbors

    0

    5

    10

    15

    20

    25

    30

    35

    40

    45

    50

    1 2 3 4 5 6 7 8 9 10 11

    Number of Nodes

    % s

    pont

    aneo

    us w

    atch

    dogs

    25 neighbors

    10 neighbors

    5 neighbors

    3 neighbors

  • Applying Intrusion Detection Systems to Wireless Sensor NetworksApplying Intrusion Detection Systems to Wireless Sensor Networks

    ConclusionsConclusions

  • Applying Intrusion Detection Systems to Wireless Sensor NetworksApplying Intrusion Detection Systems to Wireless Sensor Networks

    ConclusionsConclusions

    This is the path we have to walk lets walk it! Apply existent algorithms to a complete IDS system Analize protocols, deduce detection systems Simulations

    Other details Network lifetime: Structure evolution (Ej: neighbour list) IDS for mobile environments (mobile nodes)

  • Applying Intrusion Detection Systems to Wireless Sensor NetworksApplying Intrusion Detection Systems to Wireless Sensor Networks

    10 January 2006

    ApplyingApplyingIntrusion Detection SystemsIntrusion Detection Systemsto Wireless Sensor Networksto Wireless Sensor NetworksRodrigo Roman, Jianying Zhou, Javier Lopez