intrusion detection on manets

8/3/2019 Intrusion Detection on MANETS

1/22

Intrusion Detection on Manets

Kulesh [email protected]


2/22

SYN SYN

Overview of Manets

Overview of IDS

Problems of Current Techniques

Research Challenges

Proposed Solutions

Conclusion

FIN


3/22

Manets How Ad-Hoc is Ad-Hoc?

No, really?

Mechanics of Manets

Auto-configuration (zeroconf, ipng) Nodes should be able to configure themselves when they join a

community (e.g. choosing names, locating services)

Mechanics of configuration should be transparent to applications

Routing (manet) Table driven vs. on-demand algorithms

Performance depend on topology, density, size, mobility etc. So, it is hard to agree upon a standard

Applications We really dont know

Security(manet) Security of operations (e.g. integrity of routing mechanisms etc.)

Physical security of nodes (e.g. lost devices, tampering etc.) Who is the weakest link? (network is as secure as the weakest link)


4/22

Vulnerabilities of Manets Vulnerabilities accentuated by manet context

Access Control Lack of physical boundary/packet boundary

Shared, open broadcast medium

E.g.IP masquerading, passive eavesdropping, DoS

Vulnerabilities specific to manets Trust

Lack of trust in the underlying infrastructure

Collaborative participation of networks is mandatory forrouting and auto-configuration

E.g.Refusal of Service (RoS), Emission of false information,Sleep-deprivation torture, DoS on MAC, DAD

Homework List at least 5 properties of manets that accentuate security vulnerabilities? Explain how they impact security, with examples.


5/22

Intrusion Detection Systems Attempts to detect intrusions on autonomous

systems e.g: computer networks

Based on Deployment Host Based (HIDS) (e.g. ZoneAlarm)

Uses hosts audit logs & visible traffic for intrusion detection

Network Based (NIDS) (e.g. NFR) Uses substantial network traffic for intrusion detection

Based on Techniques Anomaly Detection (e.g. use of normal profile)

Misuse Detection (e.g. use of attack signatures)

Specification Based (e.g. monitor invariants for violations)

Policy Based (e.g. monitor policy violations)


6/22

Requirements of an IDS on Manets1. Not introduce a new weakness

Anomaly detection system itself should not make the nodeweaker than it already is (e.g. listening in promiscuous mode)

2. Need little system resources In general nodes on manets have stringent requirements on

resources (e.g. may not be able to run complex detection algorithms)

3. Have proper response for detections An IDS should not only detect but also should response to the

detected intrusions, preferably without human intervention (e.g.

modify firewall to avoid attacking hosts etc.)4. Be reliable

Fewer false positives, as there is no extensive crisis controlinfrastructure to handle alarms

5. Interoperable with other IDS

Be able to collaborate with other nodes for detection or response(e.g. use standards )


7/22

Problems of Current Techniques Lack of traffic convergence points

Prohibits the use of NIDS, Firewalls, Policies etc.

Lack of available data at hosts ID algorithms have to work with partial and localized

information in and around the radio range of hosts

Lack of communication among nodes Disconnected operations

Location dependent computing Lack of standards

Lack of protocol standards

|signatures|=|protocols|*|vulnerabilities|*|topologies|

Lack of understanding of applications


8/22

Research Challenges[1] What is a good system architecture for building

intrusion detection and response systems formanets?

What are appropriate audit data sources?

How do we detect anomalies based on partial,localized data if they are the only reliable datasources?

What is a good model of activities in a manet thatcan separate anomaly when under attacks from thenormalcy?

Can we improve routing, zero-conf protocols tosupport intrusion detection systems?


9/22

Proposed Solution


10/22

Anomaly Detection In General

1. Pick a learning algorithm

2. Pick some features

3. Train the algorithm4. Test the algorithm

5. Tune the algorithm, features

6. Go to 3

A Learning

Algorithm

Features

Da

ta

Results


11/22

Anomaly Detection on Manets Arguments for Anomaly Detection on Manets

One too many signatures to maintain for a misuse detection systems

Keeping the signatures up to date is a bigger problem

Lack of centralized management and monitoring points makes policybased systems difficult and also policies among communities may beincompatible

Specification based systems may work but no one tried it, AFAIK

Arguments Against Anomaly Detection on Manets

There may not be a clear separation between normalcy and anomaly (e.g.emission of false routing information)

There may not be enough data for anomaly detection systems (e.g.disconnected operations, lack of communication in general)

Processing, memory requirements for anomaly detection are relativelyhigh and nodes may not be able to cope up with the requirements

Hasnt proven itself useful in fixed networks (IMHO)


12/22

Proposed System Architecture

local response global response

global detectionengine

local detectionengine

local datacollection securecommunication

system calls, communicationsactivities etc.

neighboringIDS agents


13/22

Anomaly Detection on Manets The Goal

Find most useful (features, algorithm) for anomalydetection on manets and using feedback alter routingalgorithms to better support anomaly detection

Results in best combination of (routing,features, model)

The Process

1. Choose a routing algorithm

2. Choose some features3. Choose a modeling algorithm

4. Train, test detection model and refine features

5. Feedback to alter the routing algorithm


14/22

Proposed Process PCR=Percentage of Changed Routes

PCH=Percentage of Changes of sum of Hops of all routes

Training process simulate diversity of normal situations andtrace data is gathered

A detection model trained on this data can work on any node

Computing the normal profile

Denote PCR the class

Also, denote distance, direction, velocity, and PCH thefeatures Use n classes to represent the PCR ranges

Apply a classification algorithm to learn a classifier for PCR

Repeat the process to learn a classifier for PCH


15/22

Classification Algorithm Given a set of features describing a concept

classification algorithms output classification rules

(a.k.a classifier) For example, when using PCR, given the features

output would be:if(distance < 0.5 && velocity < 3) PCR = 2

else if (velocity > 5 && PCH < 10) PCR = 6

Confidence = (|condition && conclusion|)

(|condition|)

Classification rule set of PCR, PCH together formsthe normal profile of the manet


16/22

Process of Anomaly Detection Training & Testing

1. Feed the trace data to classification algorithm

2. Compute confidence for all classification rules

3. Compute PCR, PCH deviation scores PCRD, PCHD4. Assign classes {normal, abnormal} for (PCHD, PCRD)

5. Use a classification/clustering algorithm on (PCHD, PCRD,Class) to compute a classifier

6. Refine the models

Deviation (PCRD, PCHD) is measured by theconfidence value of violated classification rule

Combination of classification algorithms (2,5) isused on hosts for anomaly detection


17/22

Process of Anomaly DetectionDistance Direction Velocity PCR PCH

0.01 S 0.1 20 15

10 S 20 80 50

0.02 N 0.1 0 0

ClassificationAlgorithm

Classification Rules Conclusion Confidence

if(distance > 0.5 && velocity < 3) PCH = 2 0.0

else if(velocity > 5 && direction = N ) PCR = 5 0.1

else if (velocity > 5 && PCR = 20) PCH = 9 0.34

else if (distance > 3.4 && velocity > 9) PCR = 4 0.87

PCRD PCHD Class

0.0 0.0 Normal

0.1 0.0 Normal

0.2 0.2 Normal

0.9 0.5 Abnormal

0.3 0.1 Normal

Classification/Clustering

Algorithm

Classification Rules Conclusion

if(PCHD < 0.5 && PCHD > 0.2) Normal

else if(PCHD > 0.5 && PCHD < 0.8 ) Abnormal

else if (PCRD < 0.5 && PCRD > 0.0) Normal

else if (PCRD > 0.8) Abnormal

Detection Model


18/22

Multi-Layer Integrated IDS An obvious next step


19/22

Conclusion Discussed a common process for anomaly

detection on manets

Discussed an architecture for the system Anyone interested in furthering this work:

1. Find realistic data set (DNE)

2. Brainstorm for proper feature set

3. Pick a learning algorithm (lots of tools)4. And the 3Ts (train, test, tune)

5. Just dont over fit or over tune


20/22

References1. Intrusion Detection in Wireless Ad-Hoc Networks, Zhang,

Yongguang, Lee, Wenke, MobiCom 2000

2. Security in Ad-Hoc Networks: A General Intrusion

Detection Architecture Enhancing Trust BasedApproaches, Albers, Patrick, Camp, Olivier et. al., InternationalWorkshop on Wireless Information Systems 2002

3. RFC2460, IETF Standards Document 1998

4. RFC2051, IETF Draft Document 2000

5. Zero Configuration Networking, Internet Draft 2002


21/22

Homework1. List at least 5 properties of manets that

accentuate security vulnerabilities and

explain how they impact security withexamples.

2. List a set of features and how they can beused for anomaly detection on manets based

on following protocols:1. DSDV

2. DSR

3. AODV

Due 29th October?


22/22

FIN

Questions, Comments, Concerns

intrusion detection on manets

Documents