Upload
lester-curtis
View
216
Download
0
Tags:
Embed Size (px)
Citation preview
Effect Of Intrusion Detection on Reliability of Mission-Oriented Mobile
Group Systems in Mobile Ad Hoc Networks
Effect Of Intrusion Detection on Reliability of Mission-Oriented Mobile
Group Systems in Mobile Ad Hoc Networks
Author: J.H. Cho, I.R. Chen and P.G. FengIEEE Transactions on Reliability, Vol. 59, No. 1, 2010, pp. 231-241.
[P1] (4/6 - Presented by R. Mitchell, C. Jian, and A.H. Saoud)
OutlineOutline Introduction (A.H. Saoud) System Model (A.H. Saoud)• Performance Model (R. Mitchell)• Parameterization (R. Mitchell)• Numerical Results, and Analysis (C. Jian)• Applicability & Conclusion (C. Jian)
2
IntroductionIntroduction• Analyzing the effect of intrusion detection
system (IDS) techniques on the reliability of a mission-oriented group communication in mobile ad hoc networks.
• Knowing design conditions for employing intrusion detection system (IDS) techniques that can enhance the reliability, and thus prolong the lifetime of GCS.
• Limitations.• Techniques (prevention, detection, recovery).
3
IntroductionIntroduction
• Applying model-based quantitative analysis to security analysis.
• MTTSF is a measure to reflect the expected system lifetime, representing a measure against loss of service availability, or system integrity.
• Identify the optimal rate at which IDS should be executed to maximize the system lifetime.
4
IntroductionIntroduction• Consider the effect of security threats, and
counter IDS techniques on system lifetime of a mission-oriented GCS in MANETs.
• Mathematical models to identify the optimal intrusion detection rate at which MTTSF is maximized through analyzing the tradeoff between positive and negative effects of IDS.
• Show that the analysis methodology developed is generally applicable to varying network conditions.
5
System ModelSystem Model• The notion of a mobile group is defined based
on “connectivity.”• The GCS, and its constituent mobile groups
are “mission-oriented”• Mission execution is an application-level goal
built on top of connectivity-oriented group communications.
leave rate, rejoin rate, Mobility rate
/( + ) probability node is in any group
/( + ) probability node is not in any group
6
System Model - ConfidentialitySystem Model - Confidentiality• Shared symmetric (group) key for secure group
communications, to encrypt the message sent by a member to others in the group for confidentiality.
• Rekeying upon group member join/leave/eviction, or group partition/merge events to preserve secrecy.
• Group Diffie-Hellman (GDH), a contributory key agreement protocol, used for group key rekeying for
decentralized control, and to eliminate a single point of failure.
• Identify optimal intrusion detection intervals to maximize MTTSF, leading to improved service availability.
7
System Model - AuthenticationSystem Model - Authentication• Each member has a private key, and public
key, available for authentication.• The public keys of all group members
preloaded into every node.• No certificate authority (CA), or key
revocation. A node’s public key therefore serves as the identifier of the node
8
System Model - IDSSystem Model - IDS• Host-based IDS, each node performs local
detection to determine if a neighboring node has been compromised. • The effectiveness of IDS techniques applied: the
false negative probability (P1), and false positive probability (P2).
• Voting-based IDS:• m nodes each preinstalled with host-based IDS• -ve (a) evicting good nodes by always voting “no”
to good nodes (b) keeping bad nodes in the system by al- ways voting “yes” to bad nodes.
9
System Model –IDS Tolerance System Model –IDS Tolerance • False negative probability, and false positive
probability. Calculated based on• (a) the per-node false negative, and positive probabilities of host-based IDS
in each node; (b) the number of vote-participants selected to vote for or against a target node. (c) an estimate of the current number of compromised nodes
• For the selection of participants, each node periodically exchanges its routing information, location, and identifier with its neighboring nodes.
10
System Model – Tolerance 2System Model – Tolerance 2• With respect to a target node, all neighbor
nodes that are within a number of hops from the target node are candidates as vote-participants.
• A coordinator is selected randomly by introducing a hashing function that takes in the identifier of a node concatenated with the current location of the node as the hash key.
• The node with the smallest returned hash value would then become the coordinator
11
System Model – Tolerance 3System Model – Tolerance 3
• Coordinator selects m nodes randomly and broadcasts the list of m nodes.
• Any node not following the protocol raises a flag as a potentially compromised node, and may get itself evicted when it is being evaluated as a target node.
• The vote-participants are known to other nodes, and based on votes received, they can determine whether or not a target node is to be evicted.
12
System Model – Failure DefSystem Model – Failure Def
• System Failure Definition 1 (SF1), which is when the GCS fails when any mobile group fails;
• System Failure Definition 2 (SF2), which is when the GCS fails when all mobile groups fail.
• Evaluation of the effect of the two system failure definitions on the MTTSF of the system.
13
System Module – Failure Con.System Module – Failure Con.• Condition 1 (C1): undetected member
requests and obtains data using the group key. (leading to the loss of system integrity
• Condition 2 (C2):more than 1/3 of group member nodes are compromised, but undetected by IDS. This failure condition follows the Byzantine Failure model (loss of availability of system service).
14
System Model - ConnectivitySystem Model - Connectivity• Single hop, single group, not experiencing
group merge or partition events.• SF1 and SF2 are the same.
• Multi-hops so that there are multiple groups in the system due to group partition/merge.
15
System Module – ReliabilitySystem Module – Reliability
• MTTSF: indicates the lifetime of the GCS before it fails. • A GCS fails when one mobile group fails,
or when all mobile groups fail in the mission-oriented GCS, as defined by SF1 or SF2.
• a mobile group fails when either C1 or C2 is true.
• A lower MTTSF implies a faster loss of system integrity, or availability.
16
OutlineOutline• Introduction (A.H. Saoud)• System Model (A.H. Saoud) Performance Model (R. Mitchell) Parameterization (R. Mitchell)• Numerical Results, and Analysis (C. Jian)• Applicability & Conclusion (C. Jian)
17
Performance ModelPerformance Model
• SPN
• Places
• Transitions
• Review
18
19
PlacesPlaces
• groups NG
• uncompromised members Tm
• undetected compromised nodes UCm
• evicted nodes DCm
• well detected compromised• false detected uncompromised
• security failure GF• absorbing
20
TransitionsTransitions
• group partition TPAR
• group merge TMER
• member compromise TCP
• false detection TFA
• confidentiality violation (C1) TDRQ
• rate = λq · mark(UCm) · p1
• well detection TIDS
• rekey TRK
21
ReviewReview
• Why is TDRQ rate scaled by p1?
• Where is the Byzantine failure (C2) transition into GF?• TBYZ from UCm with multiplicity mark(Tm) / 2
• Derive SF2 reward model
22
ParameterizationParameterization
• TRK rate
• TCP rate
• IDS interval δ
• Pfp and Pfn
23
TRK rateTRK rate
• For one group:• bGDH / datalink rate
• For multiple groups:• 3bGDH(N-1) / datalink rate
24
TCP rateTCP rate
• adversary becomes more aggressive when they have the upper hand
• λc · (mark(Tm) + mark(UCm) / mark(Tm))
25
IDS interval δIDS interval δ
• IDS becomes more aggressive as it detects more compromised nodes
• (TIDS)-1 · (Ninit / (mark(Tm) + mark(Ucm))
26
27
OutlineOutline• Introduction (A.H. Saoud)• System Model (A.H. Saoud)• Performance Model (R. Mitchell)• Parameterization (R. Mitchell) Numerical Results, and Analysis (C. Jian) Applicability & Conclusion (C. Jian)
28
Parameterization & MetricParameterization & Metric
MTTSF
IDS interval (TIDS) Single-hop 5s - 1200s SF1=SF2
Multi-hop 5s - 1200s SF1, SF2
# of vote-participants (m) 3,5,7
group communication rate q 1/30s 1/1min 1/2min 1/4min 1/8min
base compromising rate c 1/3h 1/6h 1/12h 1/d 1/2d
29
Tids on MTTSF under m (1)Tids on MTTSF under m (1)• Optimal TIDS
• increasing MTTSF as TIDS increases, negative effects of IDS are mostly due to false positives
• decreasing MTTSF as TIDS increases, more compromised nodes will remain in the system
30
Tids on MTTSF under m (2)Tids on MTTSF under m (2)• large m reduce the possibility of
collusion by compromised nodes, thus get high MTTSF,
• small m , the false alarm probability is relative large, resulting in a small MTTSF
31
Tids on MTTSF under m (3)Tids on MTTSF under m (3)• MTTSF in single-hop is
comparatively higher than that in multi-hop due to the difference of node density (adverse effect)
• MTTSF under SF2 > MTTSF under SF1
32
Sensitivity of MTTSF on q(1)Sensitivity of MTTSF on q(1) q is low, a high MTTSF, q is high, a low
MTTSF• depends on the frequency of data-leak attack
q increases, optimal TIDS becomes smaller
• the adverse effect of false positives dominates when TIDS is sufficiently small
33
Sensitivity of MTTSF on q(2)Sensitivity of MTTSF on q(2)• Optimal TIDS in single-hop < Optimal
TIDS in multi-hop, because single-hop need to perform IDS more frequently to prevent potentially more compromised nodes
• MTTSF under SF2 > MTTSF under SF1
34
Sensitivity of MTTSF on c (1)Sensitivity of MTTSF on c (1)• IDS is more effective when c
is sufficiently low
35
Sensitivity of MTTSF on c (2)Sensitivity of MTTSF on c (2)• single-hop MANETs have higher MTTSF
because more members exist in single-hop MANETs
• the optimal TIDS is smaller in single-hop MANETs under identical conditions because the system tends to execute IDS more frequently
36
ConclusionConclusion
• a mathematic model • input: operational conditions, system failure
definitions, attacker behaviors• output: the optimal rate to execute intrusion
detection to enhance the system reliability of GCS
• results• TIDS , as m, node density or group size
, q c
37
Questions?Questions?