Intrusion%20Detection%20Techniques%20for%20Mobile%20Wireless%20Networks

1
Intrusion Detection Techniques for Mobile
Wireless Networks

• Zhang, Lee, Yi-An Huang
• Presented by
• Alex Singh and Nabil Taha

2
Outline

1. Introduction
2. Intrusion Detection and the Challenges of Mobile
   Ad-Hoc Networks
3. An Architecture for Intrusion Detection
4. Anomaly Detection in Mobile Ad-Hoc Networks
5. Experimental Results
6. Conclusion

3
Introduction

• Rapid proliferation of wireless networks changed
  the landscape of network security
• Traditional firewalls and encryption software no
  longer sufficient
• Need new mechanisms to protect wireless networks
  and mobile computing application

4
Checklist

• Examine vulnerabilities of wireless networks
• Discuss intrusion detection in security
  architecture for mobile computing environment
• Evaluate such architecture through simulation
  experiments

5
Vulnerabilities of Wireless Networks

• Wireless links leaves the network susceptible to
• Passive eavesdropping
• Active interfering
• Mobile nodes are capable of roaming independently
• Decision-making in wireless networks rely on
  cooperative algorithms

6
Intrusion Detection and the Challenges of Mobile
Ad-Hoc Networks

• Intrusion Any set of actions that attempt to
  compromise the integrity, confidentiality, or
  availability of a resource
• Intrusion Prevention Primary defense (i.e.
  Passwords, Biometrics)
• Intrusion Detection Systems (IDSs) Second wall
  of defense

7
Categories of IDSs

• Network-based IDS Runs at the gateway of a
  network and examines network packets that go
  through the network hardware interface

• Host-based IDS Relies on operating system audit
  data to monitor and analyze the events generated
  by programs or users on the host

8
Intrusion Detection Techniques

• Misuse Detection uses patterns of well known
  attacks or weak spots to identify known
  intrusions.
• ex guessing password, locks account after 4
  failed attempts.
• Lacks ability to detect newly invented attacks

• Anomaly Detection flags activates that differ
  significantly from the established normal usage.
• ex frequency of program usage much lower or much
  higher than normal usage
• Does not need prior knowledge of attacks
• High false positive rate

9
Problems with current IDSs

• Fixed infrastructure IDS techniques can not be
  directly applied to mobile ad-hoc networks
• Rely on real-time traffic analysis
• Must be done at the system for mobile ad-hoc
  networks and not at a gateway, switch or router
• Mobile users tend to adopt new operations modes
  such as disconnected operations

10
Questions for a Viable IDSs

• What is a good system architecture for building
  intrusion detection and response systems
• What are the appropriate audit data sources and
  how do we detect anomaly based on partial, local
  audit traces
• What is a good model of activities in a mobile
  computing environment that can separate an
  anomaly from normalcy

11
An Architecture for Intrusion Detection
12
IDS agent
13
Data Collection

• Gathers streams of real-time audit data from
  various sources
• Includes
• System activities
• User activities
• Communication activities by this node
• Communication activities by other nodes within
  this radio range
• This supports multi-layered intrusion detection
  method

14
Local Detection

• The local detection engine analyzes the local
  data traces gathered by the local data collection
  module for evidence of anomalies.
• Includes both misuse detection or anomaly
  detection

15
Cooperative Detection

• Any node can initiate a response if it has strong
  enough evidence about intrusion
• If the node only has weak or inconclusive
  evidence, it can warrant a broader investigation
• Possible to detect intrusion even when evidence
  at individual nodes is weak

16
Intrusion Response

• The type of intrusion response depends on
• Type of intrusion
• Type of network protocols
• Type of applications
• Confidence (or certainty) in the evidence
• Typical Responses
• Re-initiate communication channels between nodes
• Identify compromised node and exclude it

17
Multi-Layer Integrated Intrusion Detection and
Response

• With wireless networks, there are vulnerabilities
  in multiple layers and intrusion detection module
  needs to be placed at each layer on each node
• Need to coordinate intrusion detection and
  response efforts between layers
• Enables us to analyze the attack scenario in its
  entirety

18
Anomaly Detection in Mobile Ad-Hoc Networks

• Anomaly detection works on the premise that there
  is intrinsic and observable characteristic of
  normal behavior that is distinct from that of
  abnormal behavior
• We can use a classifier, trained using normal
  data, to predict what is normally the next event
  given the previous n events

19
Procedure for Anomaly Detection

1. Select audit data
2. Perform appropriate data transformation
3. Compute classifier using training data
4. Apply classifier to test data
5. Post-process alarms to produce intrusion reports

20
Attack on Routing Protocols

• Route Logic Compromise Manipulating routing
  information
• Misrouting forwarding a packet to an incorrect
  node
• False Message Propagation distributing a false
  route update
• Traffic Patter Distortion Changes
  default/normal traffic behavior
• Packet dropping
• Packet generation with faked source address
• Corruption on packet contents
• Denial-of-service

21
Audit Data

• Local Routing Information, including cache
  entries and traffic statistics
• Position locater or GPS which is assumed to not
  be compromised
• Only local information is used since remote nodes
  can be compromised

22
Feature Selection

• Since we use classifiers as detectors we need to
  select/construct features from the available
  audit data
• A large feature set is first constructed to cover
  a wide range of behaviors
• Several training runs are conducted and features
  that occur more than a minimum threshold are
  selected into the Essential Feature Set

23
Classifier

• Two classifiers were used in the study
• RIPPER A rule induction program, searches the
  given feature space and computes rules that
  separate data in appropriate classes
• SVM light Support Vector Machine classifier,
  pre-process the data to represent patterns in
  much higher dimension than the given feature
  space

24
Post-processing

• Choose a parameter l and let the window size be
  2l1
• For a region in the current window if there are
  more abnormal than normal predictions then the
  entire region is marked abnormal
• Shift the window and repeat
• Count all continuous abnormal regions as one
  intrusion session

25
Detecting Abnormal Updates to Routing Tables

• Routing table contains at a minimum the next hop
  to each destination node and the distance
• Physical movement is measured by distance and
  velocity
• The routing table change is measured by the
  percentage of changed routes PCR
• And the percentage of changes of all hops of all
  the routes PCH

26
Computing Normal Profile

• Denote PCR the class (i.e. concept), and
  distance, velocity, and PCH, etc. the features
  describing the concept
• Use n classes to represent the PCR values in n
  ranges, ex, we can use 10 classes each
  representing 10 percentage points - that is, the
  trace data belongs to n classes
• Apply a classification algorithm to the data to
  learn a classifier for PCR
• Repeat the above for PCH, that is, learn a
  classifier for PCH

27
Finding Anomalies

• If abnormal data is not available compute
  clusters of the deviation scores where each score
  pair is a point (PCR, PCH) then the outliers can
  be considered anomalies

28
Detecting Abnormal Activities in Other Layers

• Anomaly detection in other layers (MAC protocols,
  application, services, etc.) use a similar
  approach
• MAC protocols- form cluster using the deviations
  of the total number of channel requests and the
  total number of nodes making the request during a
  time period s

29
Experimental Results
30
(No Transcript)
31
Discussion

• Anomaly detection works much better on a routing
  protocol in which a degree of redundancy exists
  within infrastructure
• DSR embeds a whole source route in each packet
  dispatched
• This makes it harder to hide intrusion by faking
  a bit of routing information

32
Conclusions

• Mobile Wireless networks require different
  techniques to detect intrusions
• Anomaly detection is a critical part of component
  of intrusion detection and response
• Trace analysis and anomaly detection should be
  done locally and possibly through cooperation
  with all nodes in the network
• Paper focused on ad-hoc routing protocols since
  they are the foundation of a mobile ad-hoc network

33
Conclusions Routing Protocols

• Use anomaly detection models constructed using
  information available from the routing protocols
• Apply RIPPER and SVM Light to compute classifiers
• Showed that these detectors in general have good
  detection performance with SVM Light having
  better performance

34
Conclusions - findings

• They noted some disparity in security performance
  among different types of routing protocols
• They claimed that protocols with strong
  correlation among changes of different types of
  information(location, track and routing message)
  tend to have better detection performance
• And on-demand protocols usually work better than
  table-driven protocols