Intrusion Detection Techniques for Mobile Wireless Networks

1
Intrusion Detection Techniques for Mobile
Wireless Networks

• Authors
• Yongguang Zhang, HRL Laboratories LLC, Malibu,
  California.
• Wenke Lee, College of Computing, Georgia
  Institute of Technology.
• Yi-An Huang, College of Computing, Georgia
  Institute of Technology.
• Presenter
• Narendra Pentakota

2
Outline

• Problem Inadequacies of security systems for
  providing security for wireless and mobile
  devices.
• Motivation The mobility of wireless devices
  demand more resilient, stronger and effective
  security schemes.
• Solution Design of IDS system for detecting
  intrusions into wireless networks and keep the
  wireless communications out of harms way.

3
Definitions

• Intrusion Unauthorized or unwanted access to
  restricted space.

• Intrusion detection One or more security
  measures or devices used to detect and may be
  even prevent intrusion.

4
Types of IDS

• Intrusion Detection involves
• Capturing audit data.
• Reasoning the evidence in the data to determine
  whether the system is under attack.
• Types of IDS
• Network based IDS data and packet flow
  inspection on the network edge.
• Host based IDS Collect operating system audit
  data like event and system calls.

5
Intrusion Detection Techniques

• Misuse based detection
• Use patterns of well-known attacks or weak spots.
• Accurate and efficient against known attacks.
• Lacks the ability to detect a new attacks.
• Anomaly based detection
• Detect anomalies or abnormalities in the network
  or service usage.
• Does not required prior knowledge of Intrusion.
• May have high false positive rate.

6
Vulnerabilities of Mobile Wireless Networks.

• The very advantage of its mobility leads to its
  disadvantage.
• Possible attacks ranging from passive
  eavesdropping to active interference.
• Communication infrastructure and communication
  topology different from wired communications.
• Damages include loss of privacy, confidentiality,
  security etc...

7
Vulnerabilities of Mobile Wireless Networks
(cont..).

• Autonomous nature, roaming independence.
• Unprotected physical medium.
• Node tracking is difficult.
• Decentralized network infrastructure and decision
  making. Mostly rely on cooperative participation.
• Susceptible to attacks designed to break the
  cooperative algorithms.

8
Vulnerabilities of Mobile Wireless Networks
(cont..).

• Bandwidth and power constraints make conventional
  security measures inept to attacks that exploit
  applications relying on them.
• Wireless networks involving base node
  communications (ex. access points) are vulnerable
  to DoS attacks like dis-association and
  de-authentication attacks.
• No clear line of defense.

9
Problems with current IDS techniques

• Current IDS techniques hugely rely on mounting
  defense measures on a common access or routing
  points like switches or routers.

10
Problems with current IDS techniques (cont..)

• Wireless nodes in an ad-hoc network do not rely
  on any common access point. Thus current IDS
  techniques are not good enough.

11
Key design issues.

• Build Intrusion detection and response system
  that fits the features of mobile ad-hoc networks.
  Should be both distributed and cooperative.
• Choose appropriate data audit sources. Local
  audit data versus global audit data.
• Separate normalcy from anomaly.

12
Architecture for Intrusion Detection.

• Intrusion detection and response should be both
  distributed and cooperative to suite the needs of
  mobile adhoc networks.
• Every node participates in intrusion detection
  and response.
• Each node is responsible for detection and
  reporting of intrusions independently. All nodes
  can investigate into an intrusion event.

13
System View.

• Individual IDS agents placed on the nodes
  collectively form the IDS system to defend the
  mobile ad-hoc network.

14
System view (cont..)

• Data collection module is responsible for
  gathering local audit traces and activity logs.
• Detection engine uses this data to detect local
  anomaly.
• Cooperative detection engines provide
  collaborations among IDS agents.
• Both local and global response modules provide
  intrusion response actions.
• Local response module triggers actions local to
  the node while the global one coordinates actions
  among neighboring nodes.
• A secure communication module provides a high
  confidence communication channel among IDS agents.

15
IDS in Action

• The following event are part of the design
  process of Intrusion detection and response of
  IDS agents.
• Data collection
• Local detection
• Cooperative detection
• Intrusion response
• Multi-Layer integrated intrusion detection and
  response

16
IDS architecture
17
IDS architecture (cont..)

• The intrusion detection state information can
  range from a mere level-of-confidence value such
  as
• with p confidence, node A concludes from its
  local data that there is an intrusion
• with p confidence, node A concludes from its
  local data and neighbor states that there is an
  intrusion
• with p confidence, node A,B,C, collectively
  conclude that there is an intrusion
• to a more specific state that list the
  suspects, like
• with p confidence, node A concludes from its
  local data that node X has been compromised

18
A Distributed Intrusion Detection (cont..)

• Intrusion response depends on the type of
  intrusion and varies with the type of network
  protocols and applications, and the confidence in
  the evidence. For ex.
• Re-initialize communication channels between
  nodes (ex. force re-key).
• Identifying the compromised nodes and
  re-organizing the network to preclude the
  compromised nodes.

19
Multi-Layered Integrated IDS

• Intrusion detection and response modules are
  integrated into every layer of the node. For ex.
• An anomaly detected at the routing layer is
  reported to the application layer and a
  re-authentication process is initiated.
• An attack detected at the application layer is
  reported to the service and routing layers and
  also notify the incident to other nodes.

20
Definitions

• Information-Theoretic Branch of applied
  mathematics and engineering involving the
  quantification of information. Developed to find
  the fundamental limits on compressing and
  reliably communicating data.
• Entropy Uncertainty involved in a variable. For
  ex. a fair coin flip will have less entropy than
  a roll of a die.
• Classifier A mapping from a discrete feature
  space to a discrete set of labels.

21
Anomaly Detection in Mobile Ad-Hoc Networks.

• Building an Anomaly Detection Model.
• Differentiate normal from abnormal.
• Use information-theoretic approaches to identify
  classifiers (with low entropy) and classification
  algorithms to build anomaly detection models.
• When constructing such a classifier, feature with
  high information gain (or reduction in entropy)
  are needed.

22
Anomaly Detection in Mobile Ad-Hoc Networks
(cont..).

• Building an anomaly detection module (cont..).
• Select (or partition) audit data so that the
  normal dataset has low entropy.
• Perform appropriate data transformation according
  to the entropy measures (for information gain).
• Compute classifier using training data.
• Apply the classifier to test data.
• Post-process alarms to produce intrusion reports.

23
Anomaly Detection in Mobile Ad-Hoc Networks
(cont..).

• Attack models
• Route logic compromise.
• Traffic pattern distortion
• Audit data
• Feature selection and essential feature set.
• Classifier algorithms
• RIPPER First-order Inductive rule learner.
• SVM Known to reduce classification error.
• Post-processing

24
Anomaly Detection in Mobile Ad-Hoc Networks
(cont..).

• Detecting abnormal updates to routing tables.
• Given set of training, testing and evaluation
  scenarios and modeling algorithms like RIPPER and
  SVM which routing protocol with potentially all
  its routing table information used, can result in
  better performing detection models, i.e.. what
  information should be included in the routing
  table to make intrusion detection effective?

25
Anomaly Detection in Mobile Ad-Hoc Networks
(cont..).

• Detecting abnormal activities in other layers.

26
Routing Protocols

• DSR Dynamic source routing protocol. Demand
  based source routing protocol.
• AODV Ad-hoc On-demand Distance Vector. Demand
  based routing protocol capable of both unicast
  and multicast routing.
• DSDV Destination-Sequenced Distance-Vector
  Routing. Table driven routing protocol. Routing
  based on sequence numbers.

27
Experimental Results

• Wireless routing protocols were considered to
  implement anomaly detection process.
• Dynamic source routing.
• Ad-hoc on-demand distance-vector routing.
• Destination-sequenced distance-vector routing.
• These protocols were selected because they
  represent different types of ad-hoc wireless
  routing protocols, proactive and on-demand.

28
Experimental Results (cont..)

• The feature set selected should reflect
  information from different sets like routing
  change, topological movements
• Classification algorithms used
• Induction based classifier, RIPPER.
• A new SVM classifier, SVM_Light.
• Five different test scripts are used to generate
  traces for simulation. Different test scenarios
  include
• Local features on Ad-hoc Protocols.
• Detection performance in terms of detection rate
  and false alarm rates on DSR, AODV and DSDV.

29
Experimental Results (cont..)

• It is observed that DSR tested with SVM_Light
  outperforms the other two a lot.
• DSR and AODV are both on-demand protocols with
  path and pattern redundancy which help achieve a
  better detection performance.
• High correlation among changes of traffic flow,
  routing activities and topological patterns are
  preferred.

30
Conclusion

• Architecture for better intrusion detection in
  mobile computing environment should be both
  distributed and cooperative.
• The paper also proves to a point that on-demand
  protocols work better than table driven protocols
  because the behavior of on-demand protocols
  reflects the correlation between traffic pattern
  and routing message flows.

31

• Any Questions?
• Any suggestions?