Embed Size (px)
Citation preview
Intrusion Detection Techniques for Intrusion Detection Techniques for Mobile Wireless NetworksMobile Wireless Networks
Authors:• Yongguang Zhang, HRL Laboratories LLC,
Malibu, California.• Wenke Lee, College of Computing, Georgia
Institute of Technology.• Yi-An Huang, College of Computing, Georgia
Institute of Technology.
Presenter:• Narendra Pentakota
OutlineOutline
• Problem: Inadequacies of security systems for providing security for wireless and mobile devices.
• Motivation: The mobility of wireless devices demand more resilient, stronger and effective security schemes.
• Solution: Design of IDS system for detecting intrusions into wireless networks and keep the wireless communications out of harms way.
DefinitionsDefinitions
• Intrusion: Unauthorized or unwanted access to restricted space.
• Intrusion detection: One or more security measures or devices used to detect and may be even prevent intrusion.
• Intrusion Detection involves:– Capturing audit data.– Reasoning the evidence in the
data to determine whether the system is under attack.
Types of IDS:– Network based IDS: data and
packet flow inspection on the network edge.
– Host based IDS: Collect operating system audit data like event and system calls.
Types of IDSTypes of IDS
Intrusion Detection TechniquesIntrusion Detection Techniques•Misuse based detection:
Use patterns of well-known attacks or weak spots.Accurate and efficient against known attacks.Lacks the ability to detect a new attacks.
•Anomaly based detection:Detect anomalies or abnormalities in the network or service usage.Does not required prior knowledge of Intrusion.May have high false positive rate.
Vulnerabilities of Mobile Wireless Vulnerabilities of Mobile Wireless Networks.Networks.
• The very advantage of its mobility leads to its disadvantage.
• Possible attacks ranging from passive eavesdropping to active interference.
• Communication infrastructure and communication topology different from wired communications.
• Damages include loss of privacy, confidentiality, security etc...
Vulnerabilities of Mobile Wireless Vulnerabilities of Mobile Wireless Networks (cont..).Networks (cont..).
• Autonomous nature, roaming independence.• Unprotected physical medium.• Node tracking is difficult.• Decentralized network infrastructure and decision
making. Mostly rely on cooperative participation.• Susceptible to attacks designed to break the
cooperative algorithms.
Vulnerabilities of Mobile Wireless Vulnerabilities of Mobile Wireless Networks (cont..).Networks (cont..).
• Bandwidth and power constraints make conventional security measures inept to attacks that exploit applications relying on them.
• Wireless networks involving base node communications (ex. access points) are vulnerable to DoS attacks like dis-association and de-authentication attacks.
• No clear line of defense.
Problems with current IDS Problems with current IDS techniquestechniques
• Current IDS techniques hugely rely on mounting defense measures on a common access or routing points like switches or routers.
Problems with current IDS Problems with current IDS techniques (cont..)techniques (cont..)
• Wireless nodes in an ad-hoc network do not rely on any common access point. Thus current IDS techniques are not good enough.
Key design issues.Key design issues.
• Build Intrusion detection and response system that fits the features of mobile ad-hoc networks. Should be both distributed and cooperative.
• Choose appropriate data audit sources. Local audit data versus global audit data.
• Separate normalcy from anomaly.
Architecture for Intrusion Detection.Architecture for Intrusion Detection.
• Intrusion detection and response should be both distributed and cooperative to suite the needs of mobile adhoc networks.
• Every node participates in intrusion detection and response.
• Each node is responsible for detection and reporting of intrusions independently. All nodes can investigate into an intrusion event.
System View.System View.
• Individual IDS agents placed on the nodes collectively form the IDS system to defend the mobile ad-hoc network.
System view (cont..)System view (cont..)
• Data collection module is responsible for gathering local audit traces and activity logs.
• Detection engine uses this data to detect local anomaly.• Cooperative detection engines provide collaborations
among IDS agents.• Both local and global response modules provide
intrusion response actions.• Local response module triggers actions local to the node
while the global one coordinates actions among neighboring nodes.
• A secure communication module provides a high confidence communication channel among IDS agents.
IDS in ActionIDS in Action
The following event are part of the design process of Intrusion detection and response of IDS agents.
• Data collection• Local detection• Cooperative detection• Intrusion response• Multi-Layer integrated
intrusion detection and response
DATA COLLECTION
LOCAL DETECTION
LOCAL RESPONCE Secure Communication
DATA COLLECTION
COOPERATIVE DETECTION
GLOBAL RESPONCE
IDS architectureIDS architecture
IDS architecture (cont..)IDS architecture (cont..)
The intrusion detection state information can range from a mere level-of-confidence value such as
• “with p% confidence, node A concludes from its local data that there is an intrusion”
• “with p% confidence, node A concludes from its local data and neighbor states that there is an intrusion”
• “with p% confidence, node A,B,C,… collectively conclude that there is an intrusion”
to a more specific state that list the suspects, like• “with p% confidence, node A concludes from its local data
that node X has been compromised”
A Distributed Intrusion Detection A Distributed Intrusion Detection (cont..)(cont..)
Intrusion response depends on the type of intrusion and varies with the type of network protocols and applications, and the confidence in the evidence. For ex.
• Re-initialize communication channels between nodes (ex. force re-key).
• Identifying the compromised nodes and re-organizing the network to preclude the compromised nodes.
Multi-Layered Integrated IDSMulti-Layered Integrated IDS
Intrusion detection and response modules are integrated into every layer of the node. For ex.
• An anomaly detected at the routing layer is reported to the application layer and a re-authentication process is initiated.
• An attack detected at the application layer is reported to the service and routing layers and also notify the incident to other nodes.
DefinitionsDefinitions
• Information-Theoretic: Branch of applied mathematics and engineering involving the quantification of information. Developed to find the fundamental limits on compressing and reliably communicating data.
• Entropy: Uncertainty involved in a variable. For ex. a fair coin flip will have less entropy than a roll of a die.
• Classifier: A mapping from a discrete feature space to a discrete set of labels.
Anomaly Detection in Mobile Ad-Anomaly Detection in Mobile Ad-Hoc Networks. Hoc Networks.
Building an Anomaly Detection Model.• Differentiate normal from abnormal.• Use information-theoretic approaches to identify
classifiers (with low entropy) and classification algorithms to build anomaly detection models.
• When constructing such a classifier, feature with high information gain (or reduction in entropy) are needed.
Anomaly Detection in Mobile Ad-Anomaly Detection in Mobile Ad-Hoc Networks (cont..). Hoc Networks (cont..).
Building an anomaly detection module (cont..).• Select (or partition) audit data so that the normal dataset
has low entropy.• Perform appropriate data transformation according to the
entropy measures (for information gain).• Compute classifier using training data.• Apply the classifier to test data.• Post-process alarms to produce intrusion reports.
Anomaly Detection in Mobile Ad-Anomaly Detection in Mobile Ad-Hoc Networks (cont..).Hoc Networks (cont..).
• Attack models– Route logic compromise.– Traffic pattern distortion
• Audit data• Feature selection and essential feature set.• Classifier algorithms
– RIPPER: First-order Inductive rule learner.– SVM: Known to reduce classification error.
• Post-processing
Anomaly Detection in Mobile Ad-Anomaly Detection in Mobile Ad-Hoc Networks (cont..).Hoc Networks (cont..).
Detecting abnormal updates to routing tables.Given set of training, testing and evaluation
scenarios and modeling algorithms like RIPPER and SVM which routing protocol with potentially all its routing table information used, can result in better performing detection models, i.e.. “what information should be included in the routing table to make intrusion detection effective?”
Anomaly Detection in Mobile Ad-Anomaly Detection in Mobile Ad-Hoc Networks (cont..).Hoc Networks (cont..).
• Detecting abnormal activities in other layers.
Routing ProtocolsRouting Protocols
• DSR: Dynamic source routing protocol. Demand based source routing protocol.
• AODV: Ad-hoc On-demand Distance Vector. Demand based routing protocol capable of both unicast and multicast routing.
• DSDV: Destination-Sequenced Distance-Vector Routing. Table driven routing protocol. Routing based on
sequence numbers.
Experimental ResultsExperimental Results
Wireless routing protocols were considered to implement anomaly detection process. – Dynamic source routing.– Ad-hoc on-demand distance-vector routing.– Destination-sequenced distance-vector routing.
These protocols were selected because they represent different types of ad-hoc wireless routing protocols, proactive and on-demand.
Experimental Results (cont..)Experimental Results (cont..)• The feature set selected should reflect information
from different sets like routing change, topological movements
• Classification algorithms used– Induction based classifier, RIPPER.– A new SVM classifier, SVM_Light.
• Five different test scripts are used to generate traces for simulation. Different test scenarios include– Local features on Ad-hoc Protocols.– Detection performance in terms of detection rate
and false alarm rates on DSR, AODV and DSDV.
Experimental Results (cont..)Experimental Results (cont..)• It is observed that DSR tested with SVM_Light
outperforms the other two a lot.• DSR and AODV are both on-demand protocols with
path and pattern redundancy which help achieve a better detection performance.
• High correlation among changes of traffic flow, routing activities and topological patterns are preferred.
ConclusionConclusion
• Architecture for better intrusion detection in mobile computing environment should be both distributed and cooperative.
• The paper also proves to a point that on-demand protocols work better than table driven protocols because the behavior of on-demand protocols reflects the correlation between traffic pattern and routing message flows.
Any Questions?
Any suggestions?
