Intrusion Detection Techniques for Mobile Wireless Networks

Zhang, Lee, Yi-An Huang

Presented by: Alex Singh and Nabil Taha

Outline

1. Introduction

2. Intrusion Detection and the Challenges of Mobile Ad-Hoc Networks

3. An Architecture for Intrusion Detection

4. Anomaly Detection in Mobile Ad-Hoc Networks

5. Experimental Results

6. Conclusion

Introduction

• Rapid proliferation of wireless networks changed the landscape of network security

• Traditional firewalls and encryption software no longer sufficient

• Need new mechanisms to protect wireless networks and mobile computing application

Checklist

• Examine vulnerabilities of wireless networks

• Discuss intrusion detection in security architecture for mobile computing environment

• Evaluate such architecture through simulation experiments

Vulnerabilities of Wireless Networks

• Wireless links leaves the network susceptible to– Passive eavesdropping– Active interfering

• Mobile nodes are capable of roaming independently

• Decision-making in wireless networks rely on cooperative algorithms

Intrusion Detection and the Challenges of Mobile Ad-Hoc

Networks• Intrusion – Any set of actions that attempt

to compromise the integrity, confidentiality, or availability of a resource

• Intrusion Prevention – Primary defense (i.e. Passwords, Biometrics)

• Intrusion Detection Systems (IDSs)– Second wall of defense

Categories of IDSs

• Network-based IDS – Runs at the gateway of a network and examines network packets that go through the network hardware interface

• Host-based IDS – Relies on operating system audit data to monitor and analyze the events generated by programs or users on the host

Intrusion Detection Techniques

• Misuse Detection – uses patterns of well known attacks or weak spots to identify known intrusions.– ex: guessing

password, locks account after 4 failed attempts.

– Lacks ability to detect newly invented attacks

• Anomaly Detection – flags activates that differ significantly from the established normal usage.– ex: frequency of

program usage much lower or much higher than normal usage

– Does not need prior knowledge of attacks

– High false positive rate

Problems with current IDSs

• Fixed infrastructure IDS techniques can not be directly applied to mobile ad-hoc networks– Rely on real-time traffic analysis– Must be done at the system for mobile ad-hoc

networks and not at a gateway, switch or router

• Mobile users tend to adopt new operations modes such as disconnected operations

Questions for a Viable IDSs

• What is a good system architecture for building intrusion detection and response systems

• What are the appropriate audit data sources and how do we detect anomaly based on partial, local audit traces

• What is a good model of activities in a mobile computing environment that can separate an anomaly from normalcy

An Architecture for Intrusion Detection

IDS agent

Data Collection

• Gathers streams of real-time audit data from various sources

• Includes:– System activities– User activities– Communication activities by this node– Communication activities by other nodes within this

radio range

• This supports multi-layered intrusion detection method

Local Detection

• The local detection engine analyzes the local data traces gathered by the local data collection module for evidence of anomalies.

• Includes both misuse detection or anomaly detection

Cooperative Detection

• Any node can initiate a response if it has strong enough evidence about intrusion

• If the node only has weak or inconclusive evidence, it can warrant a broader investigation

• Possible to detect intrusion even when evidence at individual nodes is weak

Intrusion Response

• The type of intrusion response depends on:– Type of intrusion– Type of network protocols– Type of applications– Confidence (or certainty) in the evidence

• Typical Responses:– Re-initiate communication channels between nodes– Identify compromised node and exclude it

Multi-Layer Integrated Intrusion Detection and Response

• With wireless networks, there are vulnerabilities in multiple layers and intrusion detection module needs to be placed at each layer on each node

• Need to coordinate intrusion detection and response efforts between layers

• Enables us to analyze the attack scenario in its entirety

Anomaly Detection in Mobile Ad-Hoc Networks

• Anomaly detection works on the premise that there is intrinsic and observable characteristic of normal behavior that is distinct from that of abnormal behavior

• We can use a classifier, trained using normal data, to predict what is normally the next event given the previous n events

Procedure for Anomaly Detection

1. Select audit data

2. Perform appropriate data transformation

3. Compute classifier using training data

4. Apply classifier to test data

5. Post-process alarms to produce intrusion reports

Attack on Routing Protocols

• Route Logic Compromise – Manipulating routing information– Misrouting: forwarding a packet to an incorrect node– False Message Propagation: distributing a false route

update

• Traffic Patter Distortion – Changes default/normal traffic behavior– Packet dropping– Packet generation with faked source address– Corruption on packet contents– Denial-of-service

Audit Data

• Local Routing Information, including cache entries and traffic statistics

• Position locater or GPS which is assumed to not be compromised

• Only local information is used since remote nodes can be compromised

Feature Selection

• Since we use classifiers as detectors we need to select/construct features from the available audit data

• A large feature set is first constructed to cover a wide range of behaviors

• Several training runs are conducted and features that occur more than a minimum threshold are selected into the Essential Feature Set

Classifier

• Two classifiers were used in the study• RIPPER – A rule induction program,

searches the given feature space and computes rules that separate data in appropriate classes

• SVM light – Support Vector Machine classifier, pre-process the data to represent patterns in much higher dimension than the given feature space

Post-processing

• Choose a parameter l and let the window size be 2l+1

• For a region in the current window if there are more abnormal than normal predictions then the entire region is marked abnormal

• Shift the window and repeat• Count all continuous abnormal regions as

one intrusion session

Detecting Abnormal Updates to Routing Tables

• Routing table contains at a minimum the next hop to each destination node and the distance

• Physical movement is measured by distance and velocity

• The routing table change is measured by the percentage of changed routes – PCR

• And the percentage of changes of all hops of all the routes – PCH

Computing Normal Profile

• Denote PCR the class (i.e. concept), and distance, velocity, and PCH, etc. the features describing the concept;

• Use n classes to represent the PCR values in n ranges, ex, we can use 10 classes each representing 10 percentage points - that is, the trace data belongs to n classes

• Apply a classification algorithm to the data to learn a classifier for PCR

• Repeat the above for PCH, that is, learn a classifier for PCH

Finding Anomalies

• If abnormal data is not available compute clusters of the deviation scores where each score pair is a point (PCR, PCH) then the outliers can be considered anomalies

Detecting Abnormal Activities in Other Layers

• Anomaly detection in other layers (MAC protocols, application, services, etc.) use a similar approach

• MAC protocols- form cluster using the deviations of the total number of channel requests and the total number of nodes making the request during a time period s

Experimental Results

Discussion

• Anomaly detection works much better on a routing protocol in which a degree of redundancy exists within infrastructure

• DSR embeds a whole source route in each packet dispatched– This makes it harder to hide intrusion by

faking a bit of routing information

Conclusions

• Mobile Wireless networks require different techniques to detect intrusions

• Anomaly detection is a critical part of component of intrusion detection and response

• Trace analysis and anomaly detection should be done locally and possibly through cooperation with all nodes in the network

• Paper focused on ad-hoc routing protocols since they are the foundation of a mobile ad-hoc network

Conclusions – Routing Protocols

• Use anomaly detection models constructed using information available from the routing protocols

• Apply RIPPER and SVM Light to compute classifiers

• Showed that these detectors in general have good detection performance with SVM Light having better performance

Conclusions - findings

• They noted some disparity in security performance among different types of routing protocols

• They claimed that protocols with strong correlation among changes of different types of information(location, track and routing message) tend to have better detection performance

• And on-demand protocols usually work better than table-driven protocols