8/3/2019 Intrusion Detection on MANETS
1/22
Intrusion Detection on Manets
Kulesh [email protected]
8/3/2019 Intrusion Detection on MANETS
2/22
SYN SYN
Overview of Manets
Overview of IDS
Problems of Current Techniques
Research Challenges
Proposed Solutions
Conclusion
FIN
8/3/2019 Intrusion Detection on MANETS
3/22
Manets How Ad-Hoc is Ad-Hoc?
No, really?
Mechanics of Manets
Auto-configuration (zeroconf, ipng) Nodes should be able to configure themselves when they join a
community (e.g. choosing names, locating services)
Mechanics of configuration should be transparent to applications
Routing (manet) Table driven vs. on-demand algorithms
Performance depend on topology, density, size, mobility etc. So, it is hard to agree upon a standard
Applications We really dont know
Security(manet) Security of operations (e.g. integrity of routing mechanisms etc.)
Physical security of nodes (e.g. lost devices, tampering etc.) Who is the weakest link? (network is as secure as the weakest link)
8/3/2019 Intrusion Detection on MANETS
4/22
Vulnerabilities of Manets Vulnerabilities accentuated by manet context
Access Control Lack of physical boundary/packet boundary
Shared, open broadcast medium
E.g.IP masquerading, passive eavesdropping, DoS
Vulnerabilities specific to manets Trust
Lack of trust in the underlying infrastructure
Collaborative participation of networks is mandatory forrouting and auto-configuration
E.g.Refusal of Service (RoS), Emission of false information,Sleep-deprivation torture, DoS on MAC, DAD
Homework List at least 5 properties of manets that accentuate security vulnerabilities? Explain how they impact security, with examples.
8/3/2019 Intrusion Detection on MANETS
5/22
Intrusion Detection Systems Attempts to detect intrusions on autonomous
systems e.g: computer networks
Based on Deployment Host Based (HIDS) (e.g. ZoneAlarm)
Uses hosts audit logs & visible traffic for intrusion detection
Network Based (NIDS) (e.g. NFR) Uses substantial network traffic for intrusion detection
Based on Techniques Anomaly Detection (e.g. use of normal profile)
Misuse Detection (e.g. use of attack signatures)
Specification Based (e.g. monitor invariants for violations)
Policy Based (e.g. monitor policy violations)
8/3/2019 Intrusion Detection on MANETS
6/22
Requirements of an IDS on Manets1. Not introduce a new weakness
Anomaly detection system itself should not make the nodeweaker than it already is (e.g. listening in promiscuous mode)
2. Need little system resources In general nodes on manets have stringent requirements on
resources (e.g. may not be able to run complex detection algorithms)
3. Have proper response for detections An IDS should not only detect but also should response to the
detected intrusions, preferably without human intervention (e.g.
modify firewall to avoid attacking hosts etc.)4. Be reliable
Fewer false positives, as there is no extensive crisis controlinfrastructure to handle alarms
5. Interoperable with other IDS
Be able to collaborate with other nodes for detection or response(e.g. use standards )
8/3/2019 Intrusion Detection on MANETS
7/22
Problems of Current Techniques Lack of traffic convergence points
Prohibits the use of NIDS, Firewalls, Policies etc.
Lack of available data at hosts ID algorithms have to work with partial and localized
information in and around the radio range of hosts
Lack of communication among nodes Disconnected operations
Location dependent computing Lack of standards
Lack of protocol standards
|signatures|=|protocols|*|vulnerabilities|*|topologies|
Lack of understanding of applications
8/3/2019 Intrusion Detection on MANETS
8/22
Research Challenges[1] What is a good system architecture for building
intrusion detection and response systems formanets?
What are appropriate audit data sources?
How do we detect anomalies based on partial,localized data if they are the only reliable datasources?
What is a good model of activities in a manet thatcan separate anomaly when under attacks from thenormalcy?
Can we improve routing, zero-conf protocols tosupport intrusion detection systems?
8/3/2019 Intrusion Detection on MANETS
9/22
Proposed Solution
8/3/2019 Intrusion Detection on MANETS
10/22
Anomaly Detection In General
1. Pick a learning algorithm
2. Pick some features
3. Train the algorithm4. Test the algorithm
5. Tune the algorithm, features
6. Go to 3
A Learning
Algorithm
Features
Da
ta
Results
8/3/2019 Intrusion Detection on MANETS
11/22
Anomaly Detection on Manets Arguments for Anomaly Detection on Manets
One too many signatures to maintain for a misuse detection systems
Keeping the signatures up to date is a bigger problem
Lack of centralized management and monitoring points makes policybased systems difficult and also policies among communities may beincompatible
Specification based systems may work but no one tried it, AFAIK
Arguments Against Anomaly Detection on Manets
There may not be a clear separation between normalcy and anomaly (e.g.emission of false routing information)
There may not be enough data for anomaly detection systems (e.g.disconnected operations, lack of communication in general)
Processing, memory requirements for anomaly detection are relativelyhigh and nodes may not be able to cope up with the requirements
Hasnt proven itself useful in fixed networks (IMHO)
8/3/2019 Intrusion Detection on MANETS
12/22
Proposed System Architecture
local response global response
global detectionengine
local detectionengine
local datacollection securecommunication
system calls, communicationsactivities etc.
neighboringIDS agents
8/3/2019 Intrusion Detection on MANETS
13/22
Anomaly Detection on Manets The Goal
Find most useful (features, algorithm) for anomalydetection on manets and using feedback alter routingalgorithms to better support anomaly detection
Results in best combination of (routing,features, model)
The Process
1. Choose a routing algorithm
2. Choose some features3. Choose a modeling algorithm
4. Train, test detection model and refine features
5. Feedback to alter the routing algorithm
8/3/2019 Intrusion Detection on MANETS
14/22
Proposed Process PCR=Percentage of Changed Routes
PCH=Percentage of Changes of sum of Hops of all routes
Training process simulate diversity of normal situations andtrace data is gathered
A detection model trained on this data can work on any node
Computing the normal profile
Denote PCR the class
Also, denote distance, direction, velocity, and PCH thefeatures Use n classes to represent the PCR ranges
Apply a classification algorithm to learn a classifier for PCR
Repeat the process to learn a classifier for PCH
8/3/2019 Intrusion Detection on MANETS
15/22
Classification Algorithm Given a set of features describing a concept
classification algorithms output classification rules
(a.k.a classifier) For example, when using PCR, given the features
output would be:if(distance < 0.5 && velocity < 3) PCR = 2
else if (velocity > 5 && PCH < 10) PCR = 6
Confidence = (|condition && conclusion|)
(|condition|)
Classification rule set of PCR, PCH together formsthe normal profile of the manet
8/3/2019 Intrusion Detection on MANETS
16/22
Process of Anomaly Detection Training & Testing
1. Feed the trace data to classification algorithm
2. Compute confidence for all classification rules
3. Compute PCR, PCH deviation scores PCRD, PCHD4. Assign classes {normal, abnormal} for (PCHD, PCRD)
5. Use a classification/clustering algorithm on (PCHD, PCRD,Class) to compute a classifier
6. Refine the models
Deviation (PCRD, PCHD) is measured by theconfidence value of violated classification rule
Combination of classification algorithms (2,5) isused on hosts for anomaly detection
8/3/2019 Intrusion Detection on MANETS
17/22
Process of Anomaly DetectionDistance Direction Velocity PCR PCH
0.01 S 0.1 20 15
10 S 20 80 50
0.02 N 0.1 0 0
ClassificationAlgorithm
Classification Rules Conclusion Confidence
if(distance > 0.5 && velocity < 3) PCH = 2 0.0
else if(velocity > 5 && direction = N ) PCR = 5 0.1
else if (velocity > 5 && PCR = 20) PCH = 9 0.34
else if (distance > 3.4 && velocity > 9) PCR = 4 0.87
PCRD PCHD Class
0.0 0.0 Normal
0.1 0.0 Normal
0.2 0.2 Normal
0.9 0.5 Abnormal
0.3 0.1 Normal
Classification/Clustering
Algorithm
Classification Rules Conclusion
if(PCHD < 0.5 && PCHD > 0.2) Normal
else if(PCHD > 0.5 && PCHD < 0.8 ) Abnormal
else if (PCRD < 0.5 && PCRD > 0.0) Normal
else if (PCRD > 0.8) Abnormal
Detection Model
8/3/2019 Intrusion Detection on MANETS
18/22
Multi-Layer Integrated IDS An obvious next step
8/3/2019 Intrusion Detection on MANETS
19/22
Conclusion Discussed a common process for anomaly
detection on manets
Discussed an architecture for the system Anyone interested in furthering this work:
1. Find realistic data set (DNE)
2. Brainstorm for proper feature set
3. Pick a learning algorithm (lots of tools)4. And the 3Ts (train, test, tune)
5. Just dont over fit or over tune
8/3/2019 Intrusion Detection on MANETS
20/22
References1. Intrusion Detection in Wireless Ad-Hoc Networks, Zhang,
Yongguang, Lee, Wenke, MobiCom 2000
2. Security in Ad-Hoc Networks: A General Intrusion
Detection Architecture Enhancing Trust BasedApproaches, Albers, Patrick, Camp, Olivier et. al., InternationalWorkshop on Wireless Information Systems 2002
3. RFC2460, IETF Standards Document 1998
4. RFC2051, IETF Draft Document 2000
5. Zero Configuration Networking, Internet Draft 2002
8/3/2019 Intrusion Detection on MANETS
21/22
Homework1. List at least 5 properties of manets that
accentuate security vulnerabilities and
explain how they impact security withexamples.
2. List a set of features and how they can beused for anomaly detection on manets based
on following protocols:1. DSDV
2. DSR
3. AODV
Due 29th October?
8/3/2019 Intrusion Detection on MANETS
22/22
FIN
Questions, Comments, Concerns
Top Related