Download pdf - Applying Intrusion Detection Systems to Wireless …roman/files/roman-ccnc06-transp.pdf · Applying Intrusion Detection Systems to Wireless Sensor NetworksApplying Intrusion Detection

Applying Intrusion Detection Systems to Wireless Sensor NetworksApplying Intrusion Detection Systems to Wireless Sensor Networks

10 January 2006

ApplyingApplyingIntrusion Detection SystemsIntrusion Detection Systemsto Wireless Sensor Networksto Wireless Sensor NetworksRodrigo Roman, Jianying Zhou, Javier Lopez


SummarySummary

• Wireless Sensor Networks• Intrusion Detection Systems• IDS Architecture for Wireless Sensor Networks• Conclusions


Wireless Sensor NetworksWireless Sensor Networks


Wireless Sensor Networks (WSN)Wireless Sensor Networks (WSN)

What?• Nodes: Constrained, Sensors, Wireless.

• Dense Network (100 - more...)• ∑Nodes = WSN

Applications• Healthcare• Environment• AmI (Smart Homes)• Military• ...


Infrastructure Infrastructure –– Nodes Nodes

NodesNodesNodes Features:

• 8 Mhz, 128Kb I’s• Battery: 1 year (“stand-by”)• Radio (19.2 – 250 Kbps)

Roles:

• Harvesters• Routers• Distributed Platform

Base Station


Infrastructure Infrastructure –– Base StationBase Station

NodesB.S.: Less Constrained

Roles:• Manager• Interface (Data

Dissemination Network)

Base StationBase Station


Points of AttackPoints of Attack

Physical

Logical

• Node Integrity• Channel Integrity• Environment Integrity• Energy Integrity

• Information Integrity• Protocol Integrity• Configuration Integrity

Every Node!


Intrusion Detection SystemsIntrusion Detection Systems


Intrusion Detection SystemsIntrusion Detection Systems

• Intrusion?• Set of Actions Unauthorized Access/Alteration

• Detection: Intrusion Detection Systems (IDS)

- O.S. Logs

- Applications

- Network Packets- Anomaly Detection

- Signature Detection


IDS IDS –– Wireless NetworksWireless Networks

• Applying IDS to Wireless Networks… A real problem

• Wireless Communication, Multiple nodes…= Multiple points of attack

• (Usually) IDS Agents inside every node: Constrainedresources

• Specific problems in Wireless Sensor Networks• Nodes are even more constrained• Highly specialized protocols• User/Administrator away from the problems (BS)


IDS and WSN IDS and WSN –– State of the ArtState of the Art

• Partial Solutions• Analysing fluctuations in sensor readings

• Anomaly detection, HMM• Attesting the integrity of the code

• Check I’s memory… but time is what matters!• Others: Send (protected) attesting algorithm

• Watching over the information interchange (Watchdog)• Expensive for resource constrained nodes

• No general infrastructure• Rules, rules, rules…


IDS Architecture forIDS Architecture forWireless Sensor NetworksWireless Sensor Networks


Architecture: Architecture: ““TemplateTemplate””

• How it SHOULD be?• Separate detection tasks

• Local Agents: Internal Info, Active 100% of the time• Global Agents: External Info, Aim for 100% coverage• What they should analyse? From what sources?

• Share information between agents• Cryptography, voting mechanism (Ad Hoc), trust

• Notify users – Base Station• Secure Broadcast algorithms (µTesla)

• Optimised Alert database (small disk space)• Should have {timestamp, classification, source}


Local AgentsLocal Agents

- Node Status- Sent/Received Packets- Measurements- Neighbour Information

- Physical/Logical Integrity- Measurement Integrity- Protocol Integrity- Neighbourhood

AnalisysSource Data



• Physical Integrity• Nodes are easily accessible: Destroy!• Communication channel (Radio) is easily accessible: Jamming!• Alert: HW failures, anomaly in communication channels

• Logical Integrity• Nodes can be reprogrammed• Alert: Programming event (Xnp)

• Measurements • Physical attacks (e.g. defective sensors, others [fire –temperature sensor, movement – accelerometer])• Alert: Anomaly detection systems



• Protocol Integrity• Many protocols (Why? Specialized network)

= Many attacks (malformed packets, packet injection,…)• Develop lightweight detection techniques

• Neighbourhood• Static networks: Few variations in the network infrastructure• Alerts: New nodes, “disappearing” nodes

…• Too much energy usage?

• Analysis (protocols, measurements) – open issue


Global AgentsGlobal Agents

• Problem: Energy! Assure:- Balance tasks- Network coverageInformation (Broadcast)

- Protocol Analysis(“Watchdogs”)

Source

Data

Analysis


Global AgentsGlobal Agents

Hierarchical Networks• “Cluster Head” (CH) controls

its section of the network• Global Agent, part of C.H.

Flat Networks• No hierarchy, same nodes• Global Agent?

• Spontaneous Watchdog(SW)

Stronger...


Spontaneous WatchdogsSpontaneous Watchdogs

• Premise:• “For every packet circulating in the network, there are a set of nodes that are able to receive both that packet and the relayed packet by the next-hop”

• Only for dense networks

Node BNode A

Node C

Node D

• One of the nodes will activate its Global Agent:

• Network coverage (∀ packet covered by [at least] 1 node)• Energy savings (detections tasks are distributed over the nodes)


Spontaneous Watchdogs Spontaneous Watchdogs –– ProcessProcess

• Algorithm• Every node receives all packets sent inside its neighbourhood

(Waste of energy? No: Am I the destination of this packet?)• The destination of the packet is in my neighbourhood? Yes: I can be a Spontaneous Watchdog• How many nodes are in my situation? (n)

• Need the list of neighbours of all my neighbours• Process: Intersect neighbours of sender and receiver = n

Ej: A {B,C,D}, B {A,C,D} {C,D}• Probability of being Spontaneous Watchdog: 1/n

• There is no negotiation – process is totally independent


Spontaneous Watchdogs Spontaneous Watchdogs –– ProblemsProblems

• Situations with no active watchdog!• 0 SW : (33%) 0.29 – 0.36 • 1 SW : (40%) 0.44 – 0.36• 2 SW : (20%) 0.19 – 0.22

• Solution: Change (Increase) probabilities

• E.g. : Double probability• 0 SW : (7%) 0.04 – 0.12• Drawback: More than one SW for one packet

• Balance: Security / Energy 0

5

10

15

20

25

30

35

40

45

50

0 1 2 3 4 5 6 7 8 9 10

Number of spontaneous w atchdogs (Nodes)

Scen

ario

pro

babi

lity (%

)

25 neighbors

10 neighbors

5 neighbors

3 neighbors

0

5

10

15

20

25

30

35

40

45

50

1 2 3 4 5 6 7 8 9 10 11

Number of Nodes

% s

pont

aneo

us w

atch

dogs

25 neighbors

10 neighbors

5 neighbors

3 neighbors


ConclusionsConclusions


ConclusionsConclusions

• This is the path we have to walk… let’s walk it!• Apply existent algorithms to a complete IDS system• Analize protocols, deduce detection systems• Simulations

• Other details• Network lifetime: Structure evolution (Ej: neighbour list)• IDS for mobile environments (mobile nodes)


10 January 2006

ApplyingApplyingIntrusion Detection SystemsIntrusion Detection Systemsto Wireless Sensor Networksto Wireless Sensor NetworksRodrigo Roman, Jianying Zhou, Javier Lopez