Upload
andres
View
41
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Intrusion Detection Techniques for Mobile Wireless Networks. Zhang, Lee, Yi-An Huang Presented by: Alex Singh and Nabil Taha. Outline. Introduction Intrusion Detection and the Challenges of Mobile Ad-Hoc Networks An Architecture for Intrusion Detection - PowerPoint PPT Presentation
Citation preview
Intrusion Detection Techniques for Mobile Wireless Networks
Zhang, Lee, Yi-An Huang
Presented by: Alex Singh and Nabil Taha
Outline
1. Introduction
2. Intrusion Detection and the Challenges of Mobile Ad-Hoc Networks
3. An Architecture for Intrusion Detection
4. Anomaly Detection in Mobile Ad-Hoc Networks
5. Experimental Results
6. Conclusion
Introduction
• Rapid proliferation of wireless networks changed the landscape of network security
• Traditional firewalls and encryption software no longer sufficient
• Need new mechanisms to protect wireless networks and mobile computing application
Checklist
• Examine vulnerabilities of wireless networks
• Discuss intrusion detection in security architecture for mobile computing environment
• Evaluate such architecture through simulation experiments
Vulnerabilities of Wireless Networks
• Wireless links leaves the network susceptible to– Passive eavesdropping– Active interfering
• Mobile nodes are capable of roaming independently
• Decision-making in wireless networks rely on cooperative algorithms
Intrusion Detection and the Challenges of Mobile Ad-Hoc
Networks• Intrusion – Any set of actions that attempt
to compromise the integrity, confidentiality, or availability of a resource
• Intrusion Prevention – Primary defense (i.e. Passwords, Biometrics)
• Intrusion Detection Systems (IDSs)– Second wall of defense
Categories of IDSs
• Network-based IDS – Runs at the gateway of a network and examines network packets that go through the network hardware interface
• Host-based IDS – Relies on operating system audit data to monitor and analyze the events generated by programs or users on the host
Intrusion Detection Techniques
• Misuse Detection – uses patterns of well known attacks or weak spots to identify known intrusions.– ex: guessing
password, locks account after 4 failed attempts.
– Lacks ability to detect newly invented attacks
• Anomaly Detection – flags activates that differ significantly from the established normal usage.– ex: frequency of
program usage much lower or much higher than normal usage
– Does not need prior knowledge of attacks
– High false positive rate
Problems with current IDSs
• Fixed infrastructure IDS techniques can not be directly applied to mobile ad-hoc networks– Rely on real-time traffic analysis– Must be done at the system for mobile ad-hoc
networks and not at a gateway, switch or router
• Mobile users tend to adopt new operations modes such as disconnected operations
Questions for a Viable IDSs
• What is a good system architecture for building intrusion detection and response systems
• What are the appropriate audit data sources and how do we detect anomaly based on partial, local audit traces
• What is a good model of activities in a mobile computing environment that can separate an anomaly from normalcy
An Architecture for Intrusion Detection
IDS agent
Data Collection
• Gathers streams of real-time audit data from various sources
• Includes:– System activities– User activities– Communication activities by this node– Communication activities by other nodes within this
radio range
• This supports multi-layered intrusion detection method
Local Detection
• The local detection engine analyzes the local data traces gathered by the local data collection module for evidence of anomalies.
• Includes both misuse detection or anomaly detection
Cooperative Detection
• Any node can initiate a response if it has strong enough evidence about intrusion
• If the node only has weak or inconclusive evidence, it can warrant a broader investigation
• Possible to detect intrusion even when evidence at individual nodes is weak
Intrusion Response
• The type of intrusion response depends on:– Type of intrusion– Type of network protocols– Type of applications– Confidence (or certainty) in the evidence
• Typical Responses:– Re-initiate communication channels between nodes– Identify compromised node and exclude it
Multi-Layer Integrated Intrusion Detection and Response
• With wireless networks, there are vulnerabilities in multiple layers and intrusion detection module needs to be placed at each layer on each node
• Need to coordinate intrusion detection and response efforts between layers
• Enables us to analyze the attack scenario in its entirety
Anomaly Detection in Mobile Ad-Hoc Networks
• Anomaly detection works on the premise that there is intrinsic and observable characteristic of normal behavior that is distinct from that of abnormal behavior
• We can use a classifier, trained using normal data, to predict what is normally the next event given the previous n events
Procedure for Anomaly Detection
1. Select audit data
2. Perform appropriate data transformation
3. Compute classifier using training data
4. Apply classifier to test data
5. Post-process alarms to produce intrusion reports
Attack on Routing Protocols
• Route Logic Compromise – Manipulating routing information– Misrouting: forwarding a packet to an incorrect node– False Message Propagation: distributing a false route
update
• Traffic Patter Distortion – Changes default/normal traffic behavior– Packet dropping– Packet generation with faked source address– Corruption on packet contents– Denial-of-service
Audit Data
• Local Routing Information, including cache entries and traffic statistics
• Position locater or GPS which is assumed to not be compromised
• Only local information is used since remote nodes can be compromised
Feature Selection
• Since we use classifiers as detectors we need to select/construct features from the available audit data
• A large feature set is first constructed to cover a wide range of behaviors
• Several training runs are conducted and features that occur more than a minimum threshold are selected into the Essential Feature Set
Classifier
• Two classifiers were used in the study• RIPPER – A rule induction program,
searches the given feature space and computes rules that separate data in appropriate classes
• SVM light – Support Vector Machine classifier, pre-process the data to represent patterns in much higher dimension than the given feature space
Post-processing
• Choose a parameter l and let the window size be 2l+1
• For a region in the current window if there are more abnormal than normal predictions then the entire region is marked abnormal
• Shift the window and repeat• Count all continuous abnormal regions as
one intrusion session
Detecting Abnormal Updates to Routing Tables
• Routing table contains at a minimum the next hop to each destination node and the distance
• Physical movement is measured by distance and velocity
• The routing table change is measured by the percentage of changed routes – PCR
• And the percentage of changes of all hops of all the routes – PCH
Computing Normal Profile
• Denote PCR the class (i.e. concept), and distance, velocity, and PCH, etc. the features describing the concept;
• Use n classes to represent the PCR values in n ranges, ex, we can use 10 classes each representing 10 percentage points - that is, the trace data belongs to n classes
• Apply a classification algorithm to the data to learn a classifier for PCR
• Repeat the above for PCH, that is, learn a classifier for PCH
Finding Anomalies
• If abnormal data is not available compute clusters of the deviation scores where each score pair is a point (PCR, PCH) then the outliers can be considered anomalies
Detecting Abnormal Activities in Other Layers
• Anomaly detection in other layers (MAC protocols, application, services, etc.) use a similar approach
• MAC protocols- form cluster using the deviations of the total number of channel requests and the total number of nodes making the request during a time period s
Experimental Results
Discussion
• Anomaly detection works much better on a routing protocol in which a degree of redundancy exists within infrastructure
• DSR embeds a whole source route in each packet dispatched– This makes it harder to hide intrusion by
faking a bit of routing information
Conclusions
• Mobile Wireless networks require different techniques to detect intrusions
• Anomaly detection is a critical part of component of intrusion detection and response
• Trace analysis and anomaly detection should be done locally and possibly through cooperation with all nodes in the network
• Paper focused on ad-hoc routing protocols since they are the foundation of a mobile ad-hoc network
Conclusions – Routing Protocols
• Use anomaly detection models constructed using information available from the routing protocols
• Apply RIPPER and SVM Light to compute classifiers
• Showed that these detectors in general have good detection performance with SVM Light having better performance
Conclusions - findings
• They noted some disparity in security performance among different types of routing protocols
• They claimed that protocols with strong correlation among changes of different types of information(location, track and routing message) tend to have better detection performance
• And on-demand protocols usually work better than table-driven protocols