Yongguang Zhang

1
Intrusion Detection in Wireless Ad-Hoc Networks
Yongguang Zhang Wenke Lee
2
Ad Hoc Network

• Ad-Hoc Network are defined as is collection
  of wireless mobile nodes that dynamically
  self-organize in arbitrary and temporary network
  topologies

3
Environment

• Intrusion detection agent reside in the local
  machine in the Ad Hoc Network environment

broadcast transmission
4
Goals

• Short Term Goal Detection anomaly based on the
  collected data
• Long Term Goal Ensure intrusion free network

5
IDS Agent

• - IDS agent runs independently
• - responsible for detecting intrusions to the
  local node or its cluster.
• Advantages of combing these two schemes
• - reduce the chances of producing false alarms
• - detect intrusion that affect the whole or a
  part of the network.

6
IDS agent
local response
global response
local detection engine
cooperative detection engine
local data collection
local data collection
neighboring IDS agent
system calls activities, communicate
activities, other traces
7
IDS agent
local response
global response
The local data collection collects real-time
audit data from various sources. It can be system
and user application data, networking routing and
data traffic measurements.
local detection engine
cooperative detection engine
local data collection
local data collection
neighboring IDS agent
system calls activities, communicate
activities, other traces
8
The local detection engine analyzes the collected
data and use misuse and/or anomaly detection
algorithms or other anomaly detection technique
to detect possible intrusion.
IDS agent
local response
global response
local detection engine
cooperative detection engine
local data collection
local data collection
neighboring IDS agent
system calls activities, communicate
activities, other traces
9
If IDS detects an intrusion locally with a very
high anomaly detection rate, then it can
determine independently that the network is under
attacked and can initiate a response. However, if
a node detects an anomaly with a low anomaly
detection rate, which needs broader
investigation, it can initiate a cooperative
global intrusion detection procedure. This
procedure works by passing the intrusion
detection state information to neighboring
agents. If the agent(s) finds the intrusion
evidence to be sufficiently strong, it initiates
a response.
IDS agent
local response
global response
local detection engine
cooperative detection engine
local data collection
local data collection
neighboring IDS agent
system calls activities, communicate
activities, other traces
10
IDS agent
local response
global response
Intrusion response in MANET depends on the type
of intrusion, possibly the help from other
security mechanism if there is any, and the
application-specific policy. For example, an
intrusion response can be re-authenticate the
suspect nodes, re-initializing communication
channels between nodes or identified the
compromised node and re-organize the network.
local detection engine
cooperative detection engine
local data collection
local data collection
neighboring IDS agent
system calls activities, communicate
activities, other traces
11
The End