On the effectiveness of monitoring for intrusion detection...
Transcript of On the effectiveness of monitoring for intrusion detection...
![Page 1: On the effectiveness of monitoring for intrusion detection ...people.cs.vt.edu/~irchen/6204/pdf/Boppana-TMC11-slide.pdf · IDT Setting Watch Dog Intrusion Detection Monitoring-based](https://reader034.fdocuments.net/reader034/viewer/2022050310/5f7286f858b9c34037634bbd/html5/thumbnails/1.jpg)
Rajendra V. Boppana and Xu Su
On the effectiveness of monitoring for
intrusion detection in mobile ad hoc networks
![Page 2: On the effectiveness of monitoring for intrusion detection ...people.cs.vt.edu/~irchen/6204/pdf/Boppana-TMC11-slide.pdf · IDT Setting Watch Dog Intrusion Detection Monitoring-based](https://reader034.fdocuments.net/reader034/viewer/2022050310/5f7286f858b9c34037634bbd/html5/thumbnails/2.jpg)
Intrusion Detection System
Monitoring-based IDT
Some or all nodes monitor transmission activities of other
nodes
IDT in MANET: Noise and interference false positive
A
B
C
Package Package
![Page 3: On the effectiveness of monitoring for intrusion detection ...people.cs.vt.edu/~irchen/6204/pdf/Boppana-TMC11-slide.pdf · IDT Setting Watch Dog Intrusion Detection Monitoring-based](https://reader034.fdocuments.net/reader034/viewer/2022050310/5f7286f858b9c34037634bbd/html5/thumbnails/3.jpg)
Outline
3 nodes testbed experiment
Analytical Model
Noise modeling
Effectiveness Analysis in MANET
Conclusion
![Page 4: On the effectiveness of monitoring for intrusion detection ...people.cs.vt.edu/~irchen/6204/pdf/Boppana-TMC11-slide.pdf · IDT Setting Watch Dog Intrusion Detection Monitoring-based](https://reader034.fdocuments.net/reader034/viewer/2022050310/5f7286f858b9c34037634bbd/html5/thumbnails/4.jpg)
3 Nodes Experiment
![Page 5: On the effectiveness of monitoring for intrusion detection ...people.cs.vt.edu/~irchen/6204/pdf/Boppana-TMC11-slide.pdf · IDT Setting Watch Dog Intrusion Detection Monitoring-based](https://reader034.fdocuments.net/reader034/viewer/2022050310/5f7286f858b9c34037634bbd/html5/thumbnails/5.jpg)
Intrusion Detection Monitoring
Fixed Window
Sliding Window
Threshold
T, L=WT
![Page 6: On the effectiveness of monitoring for intrusion detection ...people.cs.vt.edu/~irchen/6204/pdf/Boppana-TMC11-slide.pdf · IDT Setting Watch Dog Intrusion Detection Monitoring-based](https://reader034.fdocuments.net/reader034/viewer/2022050310/5f7286f858b9c34037634bbd/html5/thumbnails/6.jpg)
Testbed Setting 3 nodes setting: Linksys wrt54g Wi-Fi router
Linear chain in a long corridor with 20’ apart
From 2:00 am to 5:00 am
Every node records the packet ID it receives, transmits, or overhear
A B C 200 Kbps
Fifty 500
byte
packets
per second
Transmit every packet
![Page 7: On the effectiveness of monitoring for intrusion detection ...people.cs.vt.edu/~irchen/6204/pdf/Boppana-TMC11-slide.pdf · IDT Setting Watch Dog Intrusion Detection Monitoring-based](https://reader034.fdocuments.net/reader034/viewer/2022050310/5f7286f858b9c34037634bbd/html5/thumbnails/7.jpg)
Test result with W=150
Though the testbed is small, it can show some interesting result.
![Page 8: On the effectiveness of monitoring for intrusion detection ...people.cs.vt.edu/~irchen/6204/pdf/Boppana-TMC11-slide.pdf · IDT Setting Watch Dog Intrusion Detection Monitoring-based](https://reader034.fdocuments.net/reader034/viewer/2022050310/5f7286f858b9c34037634bbd/html5/thumbnails/8.jpg)
Analytical Model
![Page 9: On the effectiveness of monitoring for intrusion detection ...people.cs.vt.edu/~irchen/6204/pdf/Boppana-TMC11-slide.pdf · IDT Setting Watch Dog Intrusion Detection Monitoring-based](https://reader034.fdocuments.net/reader034/viewer/2022050310/5f7286f858b9c34037634bbd/html5/thumbnails/9.jpg)
Analytical Model
Notions
𝑡𝑖 , 𝑟𝑖, 𝑜𝑖
e.g. in 3 nodes setting
𝑟1 = 𝑜2 = 𝑜3 = 𝑡3 = 0
𝑡1 ≥ 𝑟2 ≥ 𝑡2 𝑎𝑛𝑑 𝑜1 ≤ 𝑡2
𝑞 =𝑟2−𝑜1
𝑟2
Sliding window size monitoring
Discrete Markov Chain
Number of packets
transmitted by node i
Number of packets
received by node i
Number of packets
overheared by node i
Overall not-
overheard rate due
to the noise
![Page 10: On the effectiveness of monitoring for intrusion detection ...people.cs.vt.edu/~irchen/6204/pdf/Boppana-TMC11-slide.pdf · IDT Setting Watch Dog Intrusion Detection Monitoring-based](https://reader034.fdocuments.net/reader034/viewer/2022050310/5f7286f858b9c34037634bbd/html5/thumbnails/10.jpg)
Sliding Window Size Monitoring Discrete Markov Chain
𝑝𝑖,𝑖−1 =
𝑃𝑇ℎ𝑒 𝑜𝑙𝑑𝑒𝑠𝑡 𝑝𝑎𝑐𝑘𝑒𝑡 𝑖𝑛 𝑐𝑢𝑟𝑟𝑒𝑛𝑡 𝑤𝑖𝑛𝑑𝑜𝑤 𝑖𝑠 𝑛𝑜𝑡 𝑜𝑣𝑒𝑟ℎ𝑒𝑎𝑟𝑒𝑑
∩ 𝑇ℎ𝑒 𝑛𝑒𝑤𝑒𝑠𝑡 𝑝𝑎𝑐𝑘𝑒𝑡 𝑖𝑛 𝑛𝑒𝑥𝑡 𝑤𝑖𝑛𝑑𝑜𝑤 𝑖𝑠 𝑜𝑣𝑒𝑟ℎ𝑒𝑎𝑟𝑑 𝑐𝑢𝑟𝑟𝑒𝑛𝑡 𝑠𝑡𝑎𝑡𝑒 =
𝑠𝑖] = 𝑖
𝑊(1 − 𝑞)
𝑝𝑖,𝑖+1 =
𝑃𝑇ℎ𝑒 𝑜𝑙𝑑𝑒𝑠𝑡 𝑝𝑎𝑐𝑘𝑒𝑡 𝑖𝑛 𝑐𝑢𝑟𝑟𝑒𝑛𝑡 𝑤𝑖𝑛𝑑𝑜𝑤 𝑖𝑠 𝑜𝑣𝑒𝑟ℎ𝑒𝑎𝑟𝑒𝑑
∩ 𝑇ℎ𝑒 𝑛𝑒𝑤𝑒𝑠𝑡 𝑝𝑎𝑐𝑘𝑒𝑡 𝑖𝑛 𝑛𝑒𝑥𝑡 𝑤𝑖𝑛𝑑𝑜𝑤 𝑖𝑠 𝑛𝑜𝑡 𝑜𝑣𝑒𝑟ℎ𝑒𝑎𝑟𝑑 𝑐𝑢𝑟𝑟𝑒𝑛𝑡 𝑠𝑡𝑎𝑡𝑒 =
𝑠𝑖] = (1 −𝑖
𝑊)𝑞
![Page 11: On the effectiveness of monitoring for intrusion detection ...people.cs.vt.edu/~irchen/6204/pdf/Boppana-TMC11-slide.pdf · IDT Setting Watch Dog Intrusion Detection Monitoring-based](https://reader034.fdocuments.net/reader034/viewer/2022050310/5f7286f858b9c34037634bbd/html5/thumbnails/11.jpg)
Cont.
The purpose of Markov Chain is to estimate the time for a
node to suspect the next node
It can be partitioned into , so after n steps, the
transition probability has the form
T0 is the number of packets that node 1 transmit before it
suspect node 2 is malicious
![Page 12: On the effectiveness of monitoring for intrusion detection ...people.cs.vt.edu/~irchen/6204/pdf/Boppana-TMC11-slide.pdf · IDT Setting Watch Dog Intrusion Detection Monitoring-based](https://reader034.fdocuments.net/reader034/viewer/2022050310/5f7286f858b9c34037634bbd/html5/thumbnails/12.jpg)
Fixed Window Size Monitoring
Model as Binomial Distribution
Number of not-overheared packets in window. W is the window
size, q is the overall not-overhear rate
The probability that less than L (suspicion threshold) packets
are not overheared
The average number of fixed windows that need to be check
before a fixed window has L or more not-overheared packets
![Page 13: On the effectiveness of monitoring for intrusion detection ...people.cs.vt.edu/~irchen/6204/pdf/Boppana-TMC11-slide.pdf · IDT Setting Watch Dog Intrusion Detection Monitoring-based](https://reader034.fdocuments.net/reader034/viewer/2022050310/5f7286f858b9c34037634bbd/html5/thumbnails/13.jpg)
Model
![Page 14: On the effectiveness of monitoring for intrusion detection ...people.cs.vt.edu/~irchen/6204/pdf/Boppana-TMC11-slide.pdf · IDT Setting Watch Dog Intrusion Detection Monitoring-based](https://reader034.fdocuments.net/reader034/viewer/2022050310/5f7286f858b9c34037634bbd/html5/thumbnails/14.jpg)
The time can be calculated by
![Page 15: On the effectiveness of monitoring for intrusion detection ...people.cs.vt.edu/~irchen/6204/pdf/Boppana-TMC11-slide.pdf · IDT Setting Watch Dog Intrusion Detection Monitoring-based](https://reader034.fdocuments.net/reader034/viewer/2022050310/5f7286f858b9c34037634bbd/html5/thumbnails/15.jpg)
Noise Modeling
![Page 16: On the effectiveness of monitoring for intrusion detection ...people.cs.vt.edu/~irchen/6204/pdf/Boppana-TMC11-slide.pdf · IDT Setting Watch Dog Intrusion Detection Monitoring-based](https://reader034.fdocuments.net/reader034/viewer/2022050310/5f7286f858b9c34037634bbd/html5/thumbnails/16.jpg)
Background Noise Measure Testbed
8 wrt54g Wi-Fi router
Each router provides noise level every 100ms
Notice that: the noise level is much higher than the default ambient noise levels used in current simulators.
![Page 17: On the effectiveness of monitoring for intrusion detection ...people.cs.vt.edu/~irchen/6204/pdf/Boppana-TMC11-slide.pdf · IDT Setting Watch Dog Intrusion Detection Monitoring-based](https://reader034.fdocuments.net/reader034/viewer/2022050310/5f7286f858b9c34037634bbd/html5/thumbnails/17.jpg)
Matlab Model
![Page 18: On the effectiveness of monitoring for intrusion detection ...people.cs.vt.edu/~irchen/6204/pdf/Boppana-TMC11-slide.pdf · IDT Setting Watch Dog Intrusion Detection Monitoring-based](https://reader034.fdocuments.net/reader034/viewer/2022050310/5f7286f858b9c34037634bbd/html5/thumbnails/18.jpg)
GEV Noise Model
RMSE
![Page 19: On the effectiveness of monitoring for intrusion detection ...people.cs.vt.edu/~irchen/6204/pdf/Boppana-TMC11-slide.pdf · IDT Setting Watch Dog Intrusion Detection Monitoring-based](https://reader034.fdocuments.net/reader034/viewer/2022050310/5f7286f858b9c34037634bbd/html5/thumbnails/19.jpg)
Why GEV?
GEV is a simple parametric noise model
Easily adjust to simulate different background noise
GEV is not computationally expensive
Compare to CPM
GEV has reasonable accuracy
![Page 20: On the effectiveness of monitoring for intrusion detection ...people.cs.vt.edu/~irchen/6204/pdf/Boppana-TMC11-slide.pdf · IDT Setting Watch Dog Intrusion Detection Monitoring-based](https://reader034.fdocuments.net/reader034/viewer/2022050310/5f7286f858b9c34037634bbd/html5/thumbnails/20.jpg)
IDT Effectiveness in MANET
![Page 21: On the effectiveness of monitoring for intrusion detection ...people.cs.vt.edu/~irchen/6204/pdf/Boppana-TMC11-slide.pdf · IDT Setting Watch Dog Intrusion Detection Monitoring-based](https://reader034.fdocuments.net/reader034/viewer/2022050310/5f7286f858b9c34037634bbd/html5/thumbnails/21.jpg)
Simulation of MANET
Performance Metrics
Number of nodes suspected
False positive
Network throughput
Simulation Setting
High density 1500*300
Low density 2200*440
Sliding window with default
Sliding window with GEV
![Page 22: On the effectiveness of monitoring for intrusion detection ...people.cs.vt.edu/~irchen/6204/pdf/Boppana-TMC11-slide.pdf · IDT Setting Watch Dog Intrusion Detection Monitoring-based](https://reader034.fdocuments.net/reader034/viewer/2022050310/5f7286f858b9c34037634bbd/html5/thumbnails/22.jpg)
IDT Setting
Watch Dog Intrusion Detection
Monitoring-based Scheme
Three Components:
Watch-dog
Send alarm to source if next hop is suspected
Clear monitoring window if the path breaks
Path rater
Node is rated based on observed behavior
Route rate is the sum of node along the path
Source always chooses highest rate path
Route request
New route discovery is initiated when all paths have negative rate
![Page 23: On the effectiveness of monitoring for intrusion detection ...people.cs.vt.edu/~irchen/6204/pdf/Boppana-TMC11-slide.pdf · IDT Setting Watch Dog Intrusion Detection Monitoring-based](https://reader034.fdocuments.net/reader034/viewer/2022050310/5f7286f858b9c34037634bbd/html5/thumbnails/23.jpg)
Simulation Result & Discussion: no
malicious node
![Page 24: On the effectiveness of monitoring for intrusion detection ...people.cs.vt.edu/~irchen/6204/pdf/Boppana-TMC11-slide.pdf · IDT Setting Watch Dog Intrusion Detection Monitoring-based](https://reader034.fdocuments.net/reader034/viewer/2022050310/5f7286f858b9c34037634bbd/html5/thumbnails/24.jpg)
Simulation Result & Discussion: 10
malicious nodes
![Page 25: On the effectiveness of monitoring for intrusion detection ...people.cs.vt.edu/~irchen/6204/pdf/Boppana-TMC11-slide.pdf · IDT Setting Watch Dog Intrusion Detection Monitoring-based](https://reader034.fdocuments.net/reader034/viewer/2022050310/5f7286f858b9c34037634bbd/html5/thumbnails/25.jpg)
Conclusion & Discussion
Monitoring based IDT is not accurate in ad hoc network due
to the noise and other inference
Default noise model in simulation is not good for ad hoc
network
Based on simulation of large ad hoc network, monitoring-
based IDT may
Reduce performance of a normal network
May not improve the network throughput
Questions?
![Page 26: On the effectiveness of monitoring for intrusion detection ...people.cs.vt.edu/~irchen/6204/pdf/Boppana-TMC11-slide.pdf · IDT Setting Watch Dog Intrusion Detection Monitoring-based](https://reader034.fdocuments.net/reader034/viewer/2022050310/5f7286f858b9c34037634bbd/html5/thumbnails/26.jpg)
Thank You