Intrusion Detection Techniques in Mobile Ad Hoc and Wireless Sensor Networks - IEEE October 2007...
-
Upload
isabella-lindsey -
Category
Documents
-
view
219 -
download
1
Transcript of Intrusion Detection Techniques in Mobile Ad Hoc and Wireless Sensor Networks - IEEE October 2007...
Intrusion Detection Techniques in Mobile Ad Hoc and Wireless
Sensor Networks - IEEE October 2007
Intrusion Detection Techniques in Mobile Ad Hoc and Wireless
Sensor Networks - IEEE October 2007
CMSC 681 - Advanced Computer Networks
Oleg Aulov
CMSC 681 - Advanced Computer Networks
Oleg Aulov
MANET and WSNMANET and WSN
No wires, Limited battery life, Limited memory and processing capability
No base stations, Mobile nodes, Nodes relay data (act as routers)
Usually no centralized authority Deployed in adverse or hostile environment Prevention sec.-key distrib. Mgmt. schemes -
doesn’t work once the node is compromised and the secrets leak. Insiders can cause greater damage.
No wires, Limited battery life, Limited memory and processing capability
No base stations, Mobile nodes, Nodes relay data (act as routers)
Usually no centralized authority Deployed in adverse or hostile environment Prevention sec.-key distrib. Mgmt. schemes -
doesn’t work once the node is compromised and the secrets leak. Insiders can cause greater damage.
IDS-second line of defenceIDS-second line of defence
IDS - dynamically monitors the system to detect compromise of confidentiality, availability and integrity.
Two common types - misuse based - stores database of known attacks anomaly based - creates normal profile of system states
or user behaviors (difficult to built, mobility challenges)
Specification based - manually developed specs, time-consuming
IDS - dynamically monitors the system to detect compromise of confidentiality, availability and integrity.
Two common types - misuse based - stores database of known attacks anomaly based - creates normal profile of system states
or user behaviors (difficult to built, mobility challenges)
Specification based - manually developed specs, time-consuming
ID in MANET - attacksID in MANET - attacks
Routing logic compromise - blackhole, routing update storm, fabrication,
Traffic Distortion - dropping, coruption, flooding
Others - rushing, wormhole, spoofing
Routing logic compromise - blackhole, routing update storm, fabrication,
Traffic Distortion - dropping, coruption, flooding
Others - rushing, wormhole, spoofing
MANET - Existing Research-Zhang et al
MANET - Existing Research-Zhang et al
Agent attached to each node, performs ID & response individually
Unsupervised method to construct & select feature set (dist, velocity, # hops, etc)
Pattern classification problem - apply RIPPER(decision tree for rule induction) & SVM Light (support vector machine, when data cannot be classified by set of features) algorithms
Post Processing - to eliminate false alarms
Agent attached to each node, performs ID & response individually
Unsupervised method to construct & select feature set (dist, velocity, # hops, etc)
Pattern classification problem - apply RIPPER(decision tree for rule induction) & SVM Light (support vector machine, when data cannot be classified by set of features) algorithms
Post Processing - to eliminate false alarms
MANET - Existing Research Huang et al
MANET - Existing Research Huang et al
Cross-Feature Analysis-learning based method to capture correlation patterns.
L featires - f1,f2,…,fL fi - feature characterizing topology or route activities Solve classification problem - Create Set Ci:{f1,…,fi-1,fi+1,…,fL}, used to identify
temporal correlation between one feature and all the other features.
Ci - very likely to predict in normal circumstances, very unlikely during attack
Cross-Feature Analysis-learning based method to capture correlation patterns.
L featires - f1,f2,…,fL fi - feature characterizing topology or route activities Solve classification problem - Create Set Ci:{f1,…,fi-1,fi+1,…,fL}, used to identify
temporal correlation between one feature and all the other features.
Ci - very likely to predict in normal circumstances, very unlikely during attack
MANET - Existing Research Huang and Lee
MANET - Existing Research Huang and Lee
Collaboration with neighbors - broader ID range - more accurate, more information bout attacks
Cluster based detection scheme - FSM - Initial, Clique, Done, LostAd hoc On Demand Distance Vector (AODV) algorithm
EFSA - detect state and transition violations Specification based approach, detects abnormal patterns
and anomalous basic events.
Collaboration with neighbors - broader ID range - more accurate, more information bout attacks
Cluster based detection scheme - FSM - Initial, Clique, Done, LostAd hoc On Demand Distance Vector (AODV) algorithm
EFSA - detect state and transition violations Specification based approach, detects abnormal patterns
and anomalous basic events.
MANET - Existing Research Marti et al
MANET - Existing Research Marti et al
Watchdog and Pathrater to identify and respond to routing misbehaviors.
Each node verifies that his data was forwarded correctly.DSR - dynamic source routing
Rate routes and use more reliable ones.
Watchdog and Pathrater to identify and respond to routing misbehaviors.
Each node verifies that his data was forwarded correctly.DSR - dynamic source routing
Rate routes and use more reliable ones.
MANET - Existing Research Tseng et al
MANET - Existing Research Tseng et al
Based on AODV - specification based ID Detects run time violations FSM - specify behaviors of AODV Maintain RREP and RREQ messages
Based on AODV - specification based ID Detects run time violations FSM - specify behaviors of AODV Maintain RREP and RREQ messages
MANET - Existing Research Sun et al
MANET - Existing Research Sun et al
Use Markov Chains to characterize normal behaviors Motivated by ZBIDS (zone based) - locally generated
alerts inside the zone Gateway Nodes - broadcast alerts within the zone IDMEF (message exchange format) - presented to
facilitate interoperability of IDS agents.
Use Markov Chains to characterize normal behaviors Motivated by ZBIDS (zone based) - locally generated
alerts inside the zone Gateway Nodes - broadcast alerts within the zone IDMEF (message exchange format) - presented to
facilitate interoperability of IDS agents.
ID in WSNID in WSN
Secure LocalizationSecure Localization
GPS not feasible Utilization of beacon packets and beacon nodes Du et al - utilize deployment knowledge to
confirm beacon integrity Liu et al - filter out malicious location references
using Mean square error Compute inconsistency Voting based location estimation
GPS not feasible Utilization of beacon packets and beacon nodes Du et al - utilize deployment knowledge to
confirm beacon integrity Liu et al - filter out malicious location references
using Mean square error Compute inconsistency Voting based location estimation
Secure AggregationSecure Aggregation
Wagner - robust statistics for resilient aggregation, truncation, trimming
Yang - Secure Hop by Hop Aggregation Protocol (SDAP) Divide and conquer Commit and attest Grubbs’ test
Buttyan - RANSAC paradigm for resilient aggregation.
maximum likehood estimation
Wagner - robust statistics for resilient aggregation, truncation, trimming
Yang - Secure Hop by Hop Aggregation Protocol (SDAP) Divide and conquer Commit and attest Grubbs’ test
Buttyan - RANSAC paradigm for resilient aggregation.
maximum likehood estimation
Future Research DirectionsFuture Research Directions Extended Kalman Filter Based
Aggregation - light weight solution for estimation of neighbor monitoring features
Integration of Mobility and ID in MANET - consideration to use link change rate as an indication of mobility.
Collaboration of IDM and SMM (sys. Mon.) - to address a problem of detecting abnormal event vs. false alarm. - ask the surrounding nodes to confirm
Extended Kalman Filter Based Aggregation - light weight solution for estimation of neighbor monitoring features
Integration of Mobility and ID in MANET - consideration to use link change rate as an indication of mobility.
Collaboration of IDM and SMM (sys. Mon.) - to address a problem of detecting abnormal event vs. false alarm. - ask the surrounding nodes to confirm
Questions ???Questions ???