Embed Size (px)
Citation preview
Security Threats
in
Mobile Ad Hoc Networks
Intrusion Detection
Intrusion is any set of actions that attempt to
compromise the integrity, confidentiality, or availability of
a resource [1].
An intrusion detection system (IDS) is a system for the
detection of such intrusions. IDSs detect violations of a
security policy and respond to these detected intrusions,
such as raising alarm to the proper authority.
Security Life Cycle
Plans, rules, constraints...
Access control Authentication
Monitoring Intrusion Detection
Active/Passive Response Alarm to proper
authority, ..
Intrusion Detection Systems (IDS)detect possible violations of a security policy that attempt tocompromise the integrity, confidentiality, or availability of a resource
Second Line of Defense
Prevention techniques are not sufficient:
Quick response to the intrusion
prevent or minimize damage to the system or any data
Collect information
that can be used to strengthen the intrusion prevention facility
Components of an IDS
IDS: Data Collection Component
Responsible for collection and pre-processing
data.
o Transferring data to a common format.
o Data storage.
o Sending data to the detectiom module.
Data sources: System logs, network packets, etc.
Host-based IDS.
Network-based IDS.
IDS: Detection Component
o Data is analyzed to detect intrusion attempts.
o Indication of detected intrusions are sent to
the response component.
Anomaly-based
Signature-based (misuse-based)
Specification-based
Intrusion Detection Techniques 1/3
Anomaly Based Detection
Detect attacks based on derivation from the normal
or expected behaviour of the system or the users.
- Can detect novel intrusions.
- Rate of false positives is high.
- Hard to define normal behaviour.
- User behaviour can change, need updating mechanism.
Intrusion Detection Techniques 2/3
Signature Based Detection
Detect attacks based on known signatures of
attacks.
- Simple and efficient
- Rate of false positive is low
- Specifying the signatures is hard
- Cannot detect novel attacks
- Need to update the signature database regularly
Intrusion Detection Techniques 3/3
Specification Based Detection
A set of constraints of a program or a protocol are specified and
intrusions are detected as runtime violations of these
specifications. It combines the strength of previous techniques.
- Detect new attacks that do not follow the system specifications.
- Do not trigger false alarms when the program or protocol hasunusual but legitimate behaviour.
- Defining detailed specifications for each program/protocol canbe a very time consuming job.
- Need updating for each new program/protocol.
- Cannot detect some kind of attacks such as DoS attacks sincethese do not violate program specifications directly.
IDS: Response Component
o Passive
o Simply rase alarms.
o Notify the proper authority.
o Active
o Try to mitigate effects of intrusions.
o Seek control over the attacked system.
killing processes, terminating network connections, etc.
o Seek control over the attacking system.
trying to prevent an attacker’s future attempts.
Future Research on IDS
• Foundations
• Data collection
• Detection methods
• Reportinf and response
• IDS environment and architecture
• IDS security
• Testing and evaluation
• Operational aspects
• Social aspects
Intrusion Detection in MANETs
o MANETs have different characteristics.
o Conventional IDSs are ineffective and inefficient for this
environment.
o New IDSs should be designed for MANETs.
o The current IDSs for wired networks should be adapted
to MANETs.
Intrusion Detection Issues in MANETs
o Lack of central points
o Mobility
o Wireless Links
o Limited Resources
o Lack of a Clear Line of Defense
o Cooperativeness
Lack of Central Points
o MANETs do not have any entry points such as routers,
gateways.
o A node of a mobile ad hoc network can only see a
portion of a network:
o the packets it sends or receives
o together with other packets within its radio range.
o Intrusion detection and response systems in MANETs
should be distributed and cooperative. This introduces
some difficulties.
e.g. storing and updating attack signatures
Mobility
o The network topology can change frequently on
MANETs due to nodes’ mobility.
o Mobility can cause traditional techniques of IDS to be
unreliable in MANETs.
e.g. it is hard for anomaly-based approaches to
distinguish whether a node emitting out-of-date
information has been compromised or that node has yet
to receive update information.
o IDS architecture may change with changes to the
network topology.
Wireless Links
o Wireless networks have more constrained bandwidth
than wired networks and can also have frequent link
breakages.
o Much IDS traffic could cause congestion and limiting of
normal traffic.
o Bandwidth limitations may cause ineffective IDS
operation.
e.g. an IDS may not be able to respond to an attack in
real-time due to communication delay.
Limited Resources
o There are many varieties of devices in MANETs from
laptops to hand held devices which can have different
computing and storage capacities.
e.g. laptops, PDAs, mobile phones
o Mobile nodes generally use battery power and have
different battery capacities.
o IDS agent may not work properly due to limited
resources.
e.g. IDS agent may not be able to process the alerts
from other nodes due to memory constraints.
Lack of a Clear Line of Defence 1/2
o MANETs do not have a clear line of defense; attacks can
come from all directions.
o There are no central points on MANET that access
control mechanisms can be placed.
o Attackers do not need to gain physical access to the
network to exploit some kinds of attacks in MANETs
such as passive eavesdropping, active interference.
o Critical nodes (servers, etc.) cannot be assumed to be
secured in cabinets and have high risk of compromise
and capture.
Lack of a Clear Line of Defense 2/2
o IDS traffic should be encrypted against eavesdropping
that causes the attacker to learn how the IDS works.
o IDS agent also has a risk of being captured or
compromised.
o IDS communication can also be impeded by blocking
and jamming communications on the network.
Cooperativeness
Algorithms in MANETs are based on cooperativeness of
nodes in the network.
e.g. routing protocols
Cooperativeness can be target of new attacks.
e.g. a node can pose as a neighbour to the other nodes
and participate in decision mechanisms, possibly
affecting significant parts of the network.
Proposed IDSs in MANETs
IDS Architecture
o Stand-alone
o Distributed and Cooperative
o Hierarchical
Distributed IDS agents are divided into small
groups :
one-hop away nodes, clusters, zones..
Architecture: Distributed & Cooperative
Architecture: Hierarchical
Architecture: Hierarchical
Detection Methods
o anomaly-based
o Mobility increases the rate of false positives
o misuse-based
o Updating attack signatures is an issue
o specification-based
o Most commonly proposed technique
o Cannot detect DoS attacks
o Low false positive rate
o methods using promiscuous monitoring
Decision Making Mechanisms
o Collaborative decision-makingo more reliable.
o a few malicious nodes cannot disrupt decision-making.
o Independent decision-making
o particular nodes are responsible.
o failing of these nodes can have drastic effects.
Distributed and Cooperative IDS [11][12]
First distributed and cooperative IDS
Every node has an IDS agent and detects intrusions
locally.
IDS agents collaborates with other nodes when the
evidence to detect attacks is inconclusive and a broader
search is needed.
Use statistical anomaly-based detection
Obtain nodes’ mobility information by GPS
Distributed and Cooperative IDS [11][12]
Cooperative IDS using Cross-Feature
Analysis in MANETs [2][3]
Hierarchical IDS architecture, divides the network into
clusters.
Use strong feature correlation in normal behaviour
patterns.
e.g. while packet dropping is drastically increasing on the
network, there is an obvious change in routing updates.
Define simple rules to detect attacker(s) and execute
these rules after an anomaly is reported by IDS agents
(dropping attack)
forwardedbetopackets
forwardedactuallypackets)percentage(forwardmFP
Zone-Based Intrusion Detection System[8]
Hierarchical IDS, divides the network into zones
intrazone nodes: nodes in a zone
interzone nodes: nodes which work as a bridge to other zones
Intrazone nodes make local detection and send alerts (the probability of
an intrusion) to interzone nodes.
Interzone nodes are responsible for global aggregation and correlation to
make final decision and send alarms (real intrusion).
Aim to use different intrusion detection techniques
Use link change rate to reflect mobility model of the
network [9][13].
MIDMEF (MANET Intrusion Detection Message
Exchange Format): which defines the format of
exchanging information among IDS agents.
General Cooperative Intrusion Detection
Architecture [7]
Hierarchical IDS, multiple-layering clustering
Data flow is upward, command flow is downward in this
hierarchy. Data is acquired at leaf nodes and
aggregated, reduced and analyzed as it flows upward.
The key idea is detecting intrusions and correlating with
other nodes at the lowest levels for reducing detection
latency and support data reduction, while data is
sufficient.
Selection of cluster heads is based on topology and
other criteria such as connectivity, proximity, etc.
General Cooperative Intrusion Detection
Architecture [7]
Intrusion Detection Using Multiple
Sensors [4]
Hierarchical IDS, divides the network into clusters
Cluster heads are chosen by voting scheme based on its
connectivity.
Use mobile agents for communication which reduces
network load by moving computation to data
Three mobile agent classes is proposed monitoring,
decision-making and action.
Intrusion Detection Using Multiple
Sensors [4]
One-hop clustered network
Two-hop clustered network
DEMEM: Distributed Evidence-driven
Message Exchanging ID Model [10]
Distributed and cooperative IDS in which each node is
monitored by one-hop neighbor nodes
Use specification-based technique for OLSR protocol
Introduce ID messages for communication between IDS
agents
Tolerate loss of messages between IDS agents
An IDS Architecture with Stationary
Secure Database [6]
Distributed architecture consisting of IDS agents and a
stationary secure database
Military tactical environments with control centers might
be suitable for this architecture
Use misuse-based and anomaly-based techniques
together
Stationary secure database (SSD): keeps newest attack
signatures and latest patterns of normal users’ behaviors
Power-Aware Intrusion Detection [15]
o Application of evolutionary computation
techniques.
o Analyzing the power consumption of evolved
detection programs.
o Presenting trade-offs between detection
accuracy and power consumption.
o Investigating a suitable intrusion detection
architecture.
o Other approaches [16-18]
Watchdog and Pathrater [5]
Primary work in detecting misbehaving nodes and
mitigating their performance effect.
Watchdog mechanism on each node detects
misbehaving nodes by listening one-hop away nodes
promiscuously.
Pathrater finds the most reliable path by using the
misbehaving nodes’ information from watchdog and link
reliability data .
Proposed IDSs
o The systems generally cover restricted sets of attacks.
o The systems usually target a specific protocol.
o Some proposed IDS systems do not take into account
mobility of the network.
o Inadequate acknowledgement is given to the resource
constraints that many nodes are likely to be subject to,
and to the likelihood of nodes with different capabilities.
o Several network architectures proposed do not sit well
with the dynamic nature of MANETs.
o A more extensive evaluation of many of the systems
would seem appropriate.
Readings
Intrusion Detection in Mobile Ad Hoc Networks
Sevil Sen, John A. Clark
Chapter 17, Guide to Wireless Ad Hoc Networks,
Springer, 2009.
A Survey on Intrusion Detection in Mobile Ad Hoc
Networks
Tiranuch Anantvalee, Jie Wu
2007.
References1. Heady R, Luger G, Maccabe A, Servilla M (1990) ‘The Architecture of a Network Level
Intrusion Detection Dystem’, Technical Report, Computer Science Department,
University of New Mexico.
2. Huang Y, Fan W et al (2003) Cross-Feature Analysis for Detecting Ad-Hoc Routing
Anomalies. In Proc of 23rd IEEE Int Conf on Distrib Comput Syst (ICDCS):478-487
3. Huang Y, Lee W (2003) A Cooperative Intrusion Detection System for Ad Hoc
Networks. In Proc of the 1st ACM Workshop on Secur of Ad Hoc and Sens Netw:135-
147
4. Kachirski O, Guha R (2003) Effective Intrusion Detection Using Multiple Sensors in
Wireless Ad Hoc Networks. In Proc of the 36th IEEE Int Conf on Syst Sci (HICSS)
5. Marti S, Giuli TJ et al (2000) Mitigating Routing Misbehaviour in Mobile Ad Hoc
Networks. In Proc of 6th ACM Int Conf on Mobil Comput and Netw (MobiCom):255-
265
6. Smith AB (2001) An Examination of an Intrusion Detection Architecture for Wireless
Ad Hoc Networks. In Proc of 5th Natl Colloq for Inf Syst Secur Educ
7. Sterne D, Balasubramanyam P et al (2005) A General Cooperative Intrusion Detection
Architecture for MANETs. In Proc of the 3rd IEEE IWIA
8. Sun B (2004) Intrusion Detection in Mobile Ad Hoc Networks. PhD Thesis, Computer
Science, Texas A&M University
References9. Sun B, Wu K et al (2006) Zone-Based Intrusion Detection System for Mobile Ad
Hoc Networks. Int J of Ad Hoc and Sens Wirel Netw 2:3
10. Tseng CH, Wang SH (2006) DEMEM: Distributed Evidence Driven Message
Exchange Intrusion Detection Model for MANET. In Proc of the 9th Int Symp on
Recent Adv in Intrusion Detect LNCS 4219:249-271
11. Zhang Y, Lee W (2000), Intrusion Detection in Wireless Ad Hoc Networks. In Proc
of the 6th Int Conf on Mobil Comput and Netw (MobiCom): 275-283
12. Zhang Y, Lee W (2003) Intrusion Detection Techniques for Mobile Wireless
Networks. Wirel Netw : 545-556
13. Sun B., Wu K, Wang R (2007) Integration of mobility and intrusion detection for
wireless ad hoc networks. Int J. Communication Systems 20(6): 695-72.
14. Sen S, Clark J, (2009) Intrusion Detection in Mobile Ad Hoc Networks, Chapter 17,
Guide to Wireless Ad Hoc Networks, Springer.
15. Sen S, Clark J, (2011) Evolutionary Computation Techniques for Intrusion
Detection in Mobile Ad Hoc Networks, Computer Networks 55(15).
16. Kim H., (2006) Lifetime-enhancing Selection of Monitoring Nodes for Intrusion
Detection in MANETs, International Journal of Electronics and Communications 60
References17. Sirinivasan T, Mahadevan V, Meyyappan, et. al. (2006) Hybrid Agents for Power-
Aware Intrusion Detection in Highly Mobile Ad Hoc Networks, IEEE Computer
Society.
18. Karygiannis A., Antonakakis E., Apostolopous A, (2006) Detecting Critical Nodes
for MANET Intrusion Detection Systems, In Proceedings of the 2nd International
Workshop on Security, Privacy, and Trust in Pervasive and Ubiqutous Computing,
IEEE.
19. Xiao Y, Shen X, Anantvalee T, Wu J, (2006) A Survey on Intrusion Detection in
Mobile Ad Hoc Networks, Wireless/Mobile Network Security, Chapter 7, Springer.
