Upload
tayler-norfleet
View
218
Download
0
Embed Size (px)
Citation preview
INTRUSION DETECTION SYSTEMS INTRUSION DETECTION SYSTEMS IN MOBILE AD-HOC NETWORS IN MOBILE AD-HOC NETWORS
Anas A. Al-RoubaieyAnas A. Al-Roubaiey
Implementation and Performance Evaluation of Implementation and Performance Evaluation of AAdaptive daptive ACKACKnowledgment (nowledgment (AACKAACK) )
CONTENTSCONTENTS
Background
Literature Review
Problem Statement
Misbehaving Actions in MANET
Proposed IDS
Performance Evaluation
Conclusions and Future Work
6 June 2009 2KFUPM: MS Defense
BACKGROUND BACKGROUND
Mobile Ad hoc NETwork
6 June 2009 KFUPM: MS Defense 3
Definition MANET is a collection of wireless
mobile nodes which may form a temporary network, without the use of any fixed infrastructure or centralized administration
Characteristics Multi-hop communication Dynamic topology Constrained resources Nodes work as routers
F1
F2
F3
D
S
Applications Military and Rescue operations Extend BS range
6 June 2009 KFUPM: MS Defense 4
BACKGROUNDBACKGROUND
MANET Applications
Comm. Tower
v1
v3v4
v5
6 June 2009 KFUPM: MS Defense 5
BACKGROUNDBACKGROUND
Routing in MANET
MANET Routing Protocols
DSR basic functions Route discovery Route maintenance
MANET Routing Protocols
Proactive (Table Driven)
Reactive (On-Demand)
Hybrid
DSDV WRP OSLR AODV TORA DSR ZRP ZHLS
6 June 2009 KFUPM: MS Defense 6
BACKGROUNDBACKGROUND
Route discovery in DSR
1
1-2
1
1-3
1-3-4
1-3-4
1-3-4
1-2-5
1-3-4-6
1-3-4-7S
D52
1
3
4
6
7
8
Route Request (RREQ) Broadcasting
6 June 2009 KFUPM: MS Defense7
BACKGROUNDBACKGROUND
Route discovery in DSR
S
D52
1
3
4
6
7
8
Route Reply (RREP) Unicasting
1-2-5-81-2-5-8 1-2-5-8
7
6 June 2009 KFUPM: MS Defense 8
BACKGROUNDBACKGROUND
Route Maintenance in DSR
S
D52
1
3
4
6
7
8
RERR(5,8)
RERR(5,8)
Mobility of a node can break routes passing through it
CONTENTSCONTENTS
Background
Literature Review
Problem Statement
Misbehaving Actions in MANETMisbehaving Actions in MANET
Proposed IDS
Performance Evaluation
Conclusions and Future Work
6 June 2009 9KFUPM: MS Defense
Misbehaving Actions in MANETMisbehaving Actions in MANET
Securing DSR
DSR vulnerable to attacks Passive ( eavesdropping) Active ( dropping packets)
Proposed solutions Prevention techniques (Cryptography) Detection techniques ( Watchdog)
Detection Techniques Second wall of defense Detect and banish the misbehaving nodes
6 June 2009 KFUPM: MS Defense 10
Problem: In a malicious environment, misbehaving nodes may not
cooperate. How can they misbehave? What is the effect of them on network performance ?
6 June 2009 KFUPM: MS Defense 11
Misbehaving Actions in MANETMisbehaving Actions in MANET
Nodes misbehaviour
C
M
S
Cooperative node: cooperate in both route discovery and packet
forwarding functions
Selfish node : Prevent data packet forwarding try to save their own resources (energy and
bandwidth)
Malicious node: Prevent data packet forwarding Try to disrupt the network
6 June 2009 KFUPM: MS Defense 12
Misbehaving Actions in MANETMisbehaving Actions in MANET
Nodes misbehaviour
6 June 2009 KFUPM: MS Defense 13
Misbehaving Actions in MANETMisbehaving Actions in MANET
Misbehaving model
AS D
RREQ packets from S to D
RREP packets from D to S
CBR packets from S to D
MSS
What is the effect on the Network performance as we increase the % of misbehaving nodes?
CONTENTSCONTENTS
Background
Literature ReviewLiterature Review
Problem Statement
Misbehaving Actions in MANET
Proposed IDS
Performance Evaluation
Conclusions and Future Work
6 June 2009 14KFUPM: MS Defense
LITERATURE REVIEWLITERATURE REVIEW
Watchdog IDS
6 June 2009 KFUPM: MS Defense 15
How it works When a node forwards a packet, the node’s watchdog verifies that the next node
in the path also forwards the packet
Watchdog does this by listening promiscuously to the next node’s transmissions
Problems Ambiguous collisions, False misbehavior, Partial dropping, Collusion
Receiver collisions, Limited transmission power
Hint: Promiscuous mode means a node accepts the packets regardless of its destination
SS A B C DD
LITERATURE REVIEWLITERATURE REVIEW
Previous IDS
6 June 2009 KFUPM: MS Defense 16
MechanismPublished
DateRP
DetectionFunction
MisbehavingDetected
UseWD
Problems Solved
Watchdog 2000 DSR All nodes All Packet Drop (APD) Yes None
CORE 2002 All All Selective Packet Drop (SPD) YesPartial
Dropping
CONFIDANT 2002 DSR All APD + Routing Attacks Yes None
Patcha 2003 AODV Some APD Yes Collusion
CineMA 2004 DSR Some SPD YesPartial
Dropping
Parker 2004 All Some APD Yes None
TWOACK 2005 DSR All APD No RC+TC
Routeguard 2005 DSR All SPD YesPartial
Dropping
ExWatchdog 2007 DSR All APD YesFalse
Misbehaving
Cop 2008 DSR Some APD Yes None
CONTENTSCONTENTS
Background
Literature Review
Problem StatementProblem Statement
Misbehaving Actions in MANET
Proposed IDS
Performance Evaluation
Conclusions and Future Work
6 June 2009 17KFUPM: MS Defense
PROBLEM STATEMENTPROBLEM STATEMENT
Receiver Collision
6 June 2009 KFUPM: MS Defense 18
Node A believes that B has forwarded packet 1 on to C
However, C never received the packet due to a collision with
packet 2 being sent from D
6 June 2009 KFUPM: MS Defense 19
A node could limit its transmission power limit its transmission power such that the signal
is strong enough to be overheard by the previous node but
too weak to be received by the true recipient.
B CA
PROBLEM STATEMENTPROBLEM STATEMENT
Limited Power Transmission
CONTENTSCONTENTS
Background
Literature Review
Problem Statement
Misbehaving Actions in MANET
Proposed IDS Proposed IDS
Performance Evaluation
Conclusions and Future Work
6 June 2009 20KFUPM: MS Defense
Study the impact of Misbehaving nodes on Network Performance
Propose a solution for the two problems, RC and LPT
Enhancing TWOACK reduce routing overhead
• Minimizing acknowledgment transmissions per one data packet
Increase detection efficiency• Node detection instead of link detection
6 June 2009 KFUPM: MS Defense 21
PROPOSED IDSPROPOSED IDS
Research Objectives
PROPOSED IDSPROPOSED IDS
AACK Mechanism DefinitionDefinition
AACK stands for Adaptive ACKnowledgment Adapts the number of acknowledgments based on network state
ComponentsComponents End to end acknowledgment E-TWOACK Switching system Response system
Node typesNode types: SSource, DDestination, FForwarder
6 June 2009 KFUPM: MS Defense 22
F1S DF2
SourceSource DestinationDestinationForwardersForwarders
PROPOSED IDS PROPOSED IDS
End to end Acknowledgment
6 June 2009 KFUPM: MS Defense 23
6 June 2009 KFUPM: MS Defense 24
PROPOSED IDSPROPOSED IDS
TWOACK – How it works
Disadvantage Detects ML instead of MN Misbehaving node still active in other links Specially in high mobility scenarios where links are changing
rapidly
6 June 2009 KFUPM: MS Defense 25
PROPOSED IDSPROPOSED IDS
TWOACK – Link Detection
M
M
M
M
F2-F3 is MLF2-F3 is ML
The order of three consecutive nodes has 4 probabilities :
S – F – D F – D
F – F – D F – D
• F is the misbehaving node because in the nature of the packet dropping
attacks the attackers just existing on the intermediate nodes
S – F1 – F2F1 – F2
• if S receives alarm then F2 is MN
• If S does not receive alarm then F1 is MN
F1 – F2 – F3F2 – F3
• F3 is the MN because F2 is reported by the S and F1 as well-behave node.
6 June 2009 KFUPM: MS Defense 26
PROPOSED IDSPROPOSED IDS
E-TWOACK – Node Detection
6 June 2009 KFUPM: MS Defense 27
PROPOSED IDSPROPOSED IDS
E-TWOACK – Detection Procedure
PROPOSED IDS PROPOSED IDS
Switching Scheme
6 June 2009 KFUPM: MS Defense 28
AACK modesAACK modes End to end acknowledgment ( Aack mode) E-TWOACK ( Tack mode)
Data packetsData packets AA packets ( Aack mode) TA packets (Tack mode) One bit from DSR header is used
PROPOSED IDS PROPOSED IDS
Switching Scheme
6 June 2009 KFUPM: MS Defense 29
Start with Aack mode
Regular NodeActivity
Node Mode ?
ReceiveSwitchPKT ?
Switch to Aack mode
Send TA PKTRegister
PKT id & T
Send AA PKTRegister
PKT id & TTAAA
YES
Receive Aack
Ack. ?
AATimeout ?
NO
Switch to Tack
YES
NO
YES
NO
Follow E-TWOACK Procedure
TackTackAackAack
PROPOSED IDS PROPOSED IDS
Response System
6 June 2009 KFUPM: MS Defense 30
CONTENTSCONTENTS
Background
Literature Review
Problem Statement
Misbehaving Actions in MANET
Proposed IDS
Performance EvaluationPerformance Evaluation
Conclusions and Future Work
6 June 2009 31KFUPM: MS Defense
Performance EvaluationPerformance Evaluation
why NS-2 ?
Suitable for researchers Free and open source simulator
6 June 2009 KFUPM: MS Defense 32
Simulator usage survey of simulation-based papers in MANET, 2005.
Packet Delivery Ratio
Routing Overhead
Average end to end Delay
6 June 2009 KFUPM: MS Defense 33
Performance EvaluationPerformance Evaluation
Performance metrics
Parameter Value
Number of nodes 50 nodes
Simulation area 670 meter X 670 meter
Simulation time 900 second
Mobility model Random waypoint with pause time 0
Maximum speed 1 (low mobility) m/s 20 ( high mobility) m/s
Antenna model Omni-directional
6 June 2009 KFUPM: MS Defense 34
Performance EvaluationPerformance Evaluation
Simulation parameters
Parameter Value
Transmission range 250 meter
MAC protocol 802.11 CSMA/CA
WD and TA timeout 0.1 and 0.2 sec
WD and TA threshold 40 packets
AACK timeout
AACK threshold 30 Packets
Misbehaving nodes varying from 0 % – 40 % (40% smart attackers)
Data traffic CBR and Video traffic6 June 2009 KFUPM: MS Defense 35
Performance EvaluationPerformance Evaluation
Simulation parameters
6 June 2009 KFUPM: MS Defense 36
Performance EvaluationPerformance Evaluation
CBR: Low speed
DSR has the lowest PDR no detection
mechanism used WD has better PDR than
DSR partial detection for
MN AA outperforms TA
especially in 30 and 40 % of Misbehaving nodes
All the schemes performance decreases as MN increases
AA has lower overhead than TA Reduction of TA Ack
packets
WD has almost the same overhead as DSR No packets are used
for detection Just alarm packets
are used
6 June 2009 KFUPM: MS Defense 37
Performance EvaluationPerformance Evaluation
CBR: Low speed
TA has the highest delay More computation More acknowledgment
packets
AA has lower value than TA The intermediate nodes
will not do the detection function all the time
6 June 2009 KFUPM: MS Defense 38
Performance EvaluationPerformance Evaluation
CBR: Low speed
DSR and WD PDR decreases much more than in low speed, 50 % with 40% of MN High rate of broken links
With no MN, AA and TA performance is lower than DSR and WD Their overhead packets due
to detection function
TA outperforms AA in case of 40% MN Switching overhead
6 June 2009 KFUPM: MS Defense 39
Performance EvaluationPerformance Evaluation
CBR: High speed
RoH of TA increased from 16% in LS to 40% in HS
AA and TA have larger overhead than WD and DSR Due to Ack packets
and Alarms
6 June 2009 KFUPM: MS Defense 40
Performance EvaluationPerformance Evaluation
CBR: High speed
in average AA and TA has the same AED
AED is more than in LS Salvaged packets
increase with HS
6 June 2009 KFUPM: MS Defense 41
Performance EvaluationPerformance Evaluation
CBR: High speed
Performance EvaluationPerformance Evaluation
video traffic
For our best of knowledge, this is the first attempt to evaluate IDSs
in MANETs using video traffic
Not supported by NS-2.
we use Contributions of NS-2 users, which have been used in
publications
Small experiment is conducted to choose the best video traffic type
(MPEG-4 or H.264) over DSR
5 stationary nodes, 670 X 670 flat space
30 frame / second
6 June 2009 KFUPM: MS Defense 42
At sender
At receiver
6 June 2009 KFUPM: MS Defense 43
Raw VideoRaw Video encoderencoder converterconverter Input Trace file
Input Trace file NS-2NS-2
Raw VideoRaw Videodecoderdecoderconverterconverteroutput Trace file
output Trace fileNS-2NS-2
Performance EvaluationPerformance Evaluation
video traffic
6 June 2009 KFUPM: MS Defense 44
Performance EvaluationPerformance Evaluation
video traffic
Peak Signal to Noise Ratio PSNR measures the error between a reconstructed image and the original one
6 June 2009 KFUPM: MS Defense 45
Performance EvaluationPerformance Evaluation
video traffic
PSNR [dB] MOS value Class
≥37 5 Excellent
31-37 4 Good
25-31 3 Fair
20-25 2 Poor
<20 1 Bad
6 June 2009 KFUPM: MS Defense 46
Performance EvaluationPerformance Evaluation
video traffic: High Speed
notice the decreasing of PDR to 34 % High data rate up to 50
p/s More collision and
congestions
AA outperform TA and
DSR in presence of MN
RoH here is much less than in case of CBR data traffic rate is much
more than it was in CBR
TA also has a slight increase RoH more than AA
6 June 2009 KFUPM: MS Defense 47
Performance EvaluationPerformance Evaluation
video traffic: High Speed
As the # hops increases, e-to-e delay increases
Also, TA has the highest e-to-e delay as in CBR results
In one hop all the schemes are almost the same No misbehaving nodes No acknowledgments
6 June 2009 KFUPM: MS Defense 48
Performance EvaluationPerformance Evaluation
video traffic: High Speed
CONTENTSCONTENTS
Background
Literature Review
Problem Statement
Misbehaving Actions in MANET
Proposed IDS
Performance Evaluation
Conclusions and Future WorkConclusions and Future Work
6 June 2009 49KFUPM: MS Defense
CONCLUSIONS AND FUTURE WORKCONCLUSIONS AND FUTURE WORK
Conclusion
6 June 2009 50KFUPM: MS Defense
In this research we continue the improvement of the existing IDSs over MANETs
A new IDS is proposed and studied for addressing packet dropping misbehaving by Solve the RC and LPT of watchdog Enhancing TWOACK Technique
Implementation of IDS over variable environments is a challenge. Timeout and threshold parameters should be dynamically
adapted to the network speed and traffic rate
CONCLUSIONS AND FUTURE WORK CONCLUSIONS AND FUTURE WORK
Future Works
6 June 2009 51KFUPM: MS Defense
Solve the other WD problems such as partial dropping and colluding attacks using AACK
Extend the AACK to work with other MANET routing protocols Study AACK IDS performance under other popular routing
protocols (both reactive and proactive).
Do more performance evaluation for AACK in terms of power consumption and memory usage