Intrusion Detection in Wireless Ad Hoc Networks

1
Intrusion Detection in Wireless Ad Hoc Networks

• Yi Qu
• University of Ottawa
• 2008.11.4

2
Outline

• Basic Concept
• Intrusion Detection Approaches
• ID System Architectures
• Summary
• QA

3
Security Requirements Dje05

• Availability
• Authentication
• Confidentiality
• Integrity
• Non-repudiation

4
Four Types of Attack
Attack on Availability
Attack on Confidentiality
Attack on Integrity
Attack on Authentication
5
Secure Services Model Sto01
ID is second defense line after preventive
security services
6
MANET Features Impact on Security

• Infrastructureless
• security solution rely on a distributed
  cooperative scheme instead of a centralized
  scheme.
• Multi-hop
• malicious/uncooperative node along the path
• Memory and computation power limitation
• high complexity security solutions are difficult
  to implement.

7
Intrusion Detection vs. Secure Routing

• Intrusion Detection include the detection
  (internal) attacks against routing and data
  forwarding.
• Secure Routing which mainly focus on how to avoid
  disrupting protocol execution by keeping
  attackers outside networks using various
  authentication mechanism

8
Attacks against Routing

• Modification
• modify route sequence number, hop number or
• source route
• Fabrication
• Falsifying route errors Broadcast falsified
  routes
• Tunneling/Wormhole
• Rushing attack
• Spoofing (concerned by secure routing)

9
Attacks against Data forwarding

• Dropping Data Packets
• Attack routing first to gain participation in
  the routing, then drop packet to be forwarded.
  (also named as sinkhole, black hole, grey hole,
  selective forwarding and misleading etc.)
• Selfish Behavior
• Not forwarding packet to save own battery, but
  not attacking routing
• In summary, essential of intrusion is not
  forwarding data packets as expected

10
Intrusion Detection Models

• Monitoring location
• Host-based collect data in local host, such as
  system call activities, communication activities,
  other traces
• Network-based check network activity and
  packets
• Detection profile
• Anomaly Detection raise flag when deviation to
  normal behavior is over threshold
• Signature/Misuse Detection match signature
  (misuse pattern) of predefined intrusion types

11
Outline

• Basic Concept
• Intrusion Detection Approaches
• ID System Architectures
• Summary
• QA

12
Classification

• Intrusion Preventive Approaches
• - Economic-based
• Intrusion Detection Approaches
• - Reputation-based
• - Statistic-based

13
Economic-based Intrusion Preventive (1)

• Nuglet
• Nodes which use a service must pay for it (in
  virtual currency or nuglets) to nodes that
  provide the service.
• - How to represent nuglets is a problem?
• - A well-behaved node that is not asked to route
  enough packets could not earn nuglets and will be
  unable to send its own packets.

14
Economic-based Intrusion Preventive (2)

• SCAN (token-based)
• Each node need token in order to participate
  in network operations.
• - Node renew its token via its multiple
  neighbors signed by a Shared Key.
• - The token of a convicted malicious node will
  be revoked.

15
Reputation-based Intrusion Detection

• The opinion a node has of another is called
  reputation. Based on this reputation, the node
  determine whether to cooperate with another node.
  
• Reputation systems can be used to cope with any
  kind of misbehavior as long as it is observable.

16
Reputation-based Functions

• Monitoring
• Get first-hand information about a nodes
  behavior by taking account the packet received
  and overhearing next hop nodes activity. Usually
  signature detection model is used.
• Reputation
• Keep and update reputation rating
• Response
• Isolating the nodes that are deemed misbehaving

17
Watchdog Pathrater (1)

• watchdog is the monitoring part
• path rater is the combined reputation and
  response part.
• One of the prior of reputation-based IDS,
  commonly used monitoring mechanism by many IDS,
  cited by 1135

18
Watchdog Pathrater (2)

• Watchdog detects non-forwarding by overhearing
  the transmission of the next node.
• Once misbehavior is detected, the source of the
  concerned path is informed. Each node maintains a
  rating for every other node it knows about.
• Nodes select routes with the highest average node
  rating.

19
Watchdog Pathrater (3)

• Weaknesses of Watchdog mechanism
• Ambiguous collisions
• Receiver collisions
• Limited transmission power
• B forward packet with limited power that can not
  reach the real recipient, but can be overheard by
  A
• Collusion
• A?B?C BC in collusion, C drop packet, B does
  not report to A.
• Partial dropping
• drop some packets but not exceed the threshold

20
Statistic-based Intrusion Detection

• Take the anomaly detection model
• Profile the statistic of normal behavior and
  compare to the statistic of audit data.
• Need sufficient data gathering (including both
  training" and testing" processes), refined
  features and modeling algorithms to generate a
  good anomaly detection profile.

21
Statistic-based IDS Example Zhang00

• statistical anomaly detection. illustrated by
  host-based audit data (routing table change
  statistic)
• use data on the node's physical movements and
  the corresponding change in its routing table as
  the basis of the trace data.
• PCR- percentage of changed routes
• PCH- per. of changes in the sum of hops of all
  the routes

22
Outline

• Basic Concept
• Intrusion Detection Approaches
• ID System Architectures
• Summary
• QA

We have seen the approaches how intrusions are
prevented or detected by handling the audit data,
now lets see from the view of a ID system
Architectures
23
Architecture Overview

• Stand-alone
• Distributed and Cooperative
• Could use alone or combined with one or two of
  below architectures
• - Hierarchical
• - Agent-based

24
Stand-alone Architecture

• IDS is run on each node independently to
  determine intrusions. No cooperation between
  nodes to exchange reputation information about
  others.
• Pro simple and claimed no need to maintain
  trust-management machinery
• Con vulnerable to malicious routing

25
OCEAN

• NeighborWatch
• similar to watchdog, maintains ratings for each
  its neighbors
• Rank-Based Routing
• transmitter add a new field in RREQ, avoid-list
  which is the list of nodes it wishes to avoid
• Vulnerable to malicious routing

26
Distributed Cooperative Architecture

• MANET nature is distributed cooperative
• Cooperation help individual node to make decision
  (using second information) when the local
  evidence is inconclusive.
• Cooperation alleviate attack on IDS itself, but
  need support of trust-management

27
A Prior of Distributed Cooperative IDS
Distributed and Cooperative IDS in MANETs
proposed by Zhang 2000
28
CONFIDANT
Cooperation Of Nodes - Fairness In Dynamic Ad-hoc
NeTworks
monitor neighbors, update reputation, take
response and send alarm to friends
29
Hierarchical Architecture

• Hierarchical IDS extend the distributed and
  cooperative IDS and is proposed for multi-layered
  network infrastructures
• Cluster head can monitor its nodes thus to save
  their resources, or it can collect monitoring
  report from nodes and do some additional work.

30
Hierarchical Example Sterne05
31
Agent-based Architecture

• Separate functional tasks into categories and
  assigning each task to a different agent, the
  workload is distributed
• Save energy by offloading some tasks
• eg. Cluster node need not packet-level
  monitoring
• Different nodes do best in different tasks
• eg. cluster head is good at making decision
  because it have both network-level information
  and host-based information of all its nodes.

32
Agent-based Example Kach03

• Packet-level monitoring agent and Decision agent
  are only running in cluster head
• All nodes have Action agent and host-based
  monitoring agent for User-level and System-level

33
Summary

• Many IDS are reputation-based using signature
  detection model for simple misbehavior of packet
  dropping.
• Good statistical profile for anomaly detection
  model is a challenge. But it allows detection
  performed locally in each node.
• Most IDS take distributed cooperative
  architecture which match the nature of MANET.
  Trust-management is a key part.
• Agent-based approach is a trend for its efficient
  manner

34
QA

• 1. What is advantage and disadvantage of
  Signature Detection model to Anomaly Detection
  model?
• A Signature Detection is accurate, but can not
  detect intrusion without signature defined while
  Anomaly Detection may cause false accusation, but
  can detect new type of intrusion.

35
QA

• 2. The mechanism like WatchDog is a common way to
  monitor network activity, it has some weakness.
  Besides some malicious attacks, it is inaccurate
  monitoring, Please give one example.
• A ambiguous collisions,
• receiver collisions,

36
QA

• 3. Explain the efficient manner of agent-based
  architecture.
• A Agent-based architecture are efficient in at
  least below 2 points
• Save energy by offloading some tasks
• Different nodes do best in different tasks.

37
References

• Dje05 D. Djenouri,  A survey of security issues
  in mobile ad hoc and sensor networks,
  Communications Surveys Tutorials, IEEE, 2005
• Sto01
• Sterne05 D. Sterne et.al., AGeneral
  Cooperative Intrusion Detection Architecture for
  MANETs, Proceedings of the 3rd IEEE
  International Workshop on Information Assurance
  (IWIA05), pp. 57-70, March 2005.
• CONFIDANT S Buchegger, JY Le Boudec, Analysis
  of the CONFIDANT Protocol Cooperation Of Nodes -
  Fairness In Dynamic Ad-hoc NeTworks, Proc. of
  IEEE/ACM Symposium on Mobile Ad Hoc, 2002
• Zhang00 Y. Zhang and W. Lee, Intrusion
  Detection in Wireless Ad Hoc Networks, 6th
  Intl. Conf. Mobile Comp. and Net., Aug. 2000,
  pp. 27583.
• OCEAN S. Bansal and M. Baker,
  Observation-Based Cooperation Enforcement in Ad
  hoc Networks, Research Report cs.NI/0307012,
  Stanford University, 2003.
• Watchdog S. Marti et al., Mitigating Routing
  Misbehavior in Mobile Ad Hoc Networks, Proc.
  MOBICOM 2000, 2000, pp. 25565
• SCAN Hao Yang et.al, SCAN Self-Organized
  Network-Layer Security in Mobile Ad Hoc
  Networks, IEEE JOURNAL ON SELECTED AREAS IN
  COMMUNICATIONS, VOL. 24, NO. 2, FEBRUARY 2006