Transcript Document

Intrusion Detection on Manets
Kulesh Shanmugasundaram
[email protected]
SYN








SYN
Overview of Manets
Overview of IDS
Problems of Current Techniques
Research Challenges
Proposed Solutions
Conclusion
FIN
Manets

How Ad-Hoc is Ad-Hoc?


No, really?
Mechanics of Manets

Auto-configuration (zeroconf, ipng)



Routing (manet)




Table driven vs. on-demand algorithms
Performance depend on topology, density, size, mobility etc.
So, it is hard to agree upon a standard
Applications


Nodes should be able to configure themselves when they join a
“community” (e.g. choosing names, locating services)
Mechanics of configuration should be transparent to applications
We really don’t know
Security (manet)



Security of operations (e.g. integrity of routing mechanisms etc.)
Physical security of nodes (e.g. lost devices, tampering etc.)
Who is the weakest link? (network is as secure as the weakest link)
Vulnerabilities of Manets

Vulnerabilities accentuated by manet context

Access Control




Vulnerabilities specific to manets

Trust




Lack of physical boundary/packet boundary
Shared, open broadcast medium
E.g. IP masquerading, passive eavesdropping, DoS
Lack of trust in the underlying infrastructure
Collaborative participation of networks is mandatory for
routing and auto-configuration
E.g. Refusal of Service (RoS), Emission of false information,
Sleep-deprivation torture, DoS on MAC, DAD
Homework


List at least 5 properties of manets that accentuate security vulnerabilities?
Explain how they impact security, with examples.
Intrusion Detection Systems


Attempts to detect intrusions on autonomous
systems e.g: computer networks
Based on Deployment

Host Based (HIDS) (e.g. ZoneAlarm)


Network Based (NIDS) (e.g. NFR)


Uses hosts’ audit logs & visible traffic for intrusion detection
Uses substantial network traffic for intrusion detection
Based on Techniques




Anomaly Detection (e.g. use of normal profile)
Misuse Detection (e.g. use of attack signatures)
Specification Based (e.g. monitor invariants for violations)
Policy Based (e.g. monitor policy violations)
Requirements of an IDS on Manets
1.
Not introduce a new weakness

2.
Need little system resources

3.
An IDS should not only detect but also should response to the
detected intrusions, preferably without human intervention (e.g.
modify firewall to avoid attacking hosts etc.)
Be reliable

5.
In general nodes on manets have stringent requirements on
resources (e.g. may not be able to run complex detection algorithms)
Have proper response for detections

4.
Anomaly detection system itself should not make the node
weaker than it already is (e.g. listening in promiscuous mode)
Fewer false positives, as there is no extensive crisis control
infrastructure to handle alarms
Interoperable with other IDS

Be able to collaborate with other nodes for detection or response
(e.g. use standards )
Problems of Current Techniques

Lack of traffic convergence points


Lack of available data at hosts


ID algorithms have to work with “partial and localized
information” in and around the radio range of hosts
Lack of communication among nodes



Prohibits the use of NIDS, Firewalls, Policies etc.
Disconnected operations
Location dependent computing
Lack of standards



Lack of protocol standards
|signatures|=|protocols|*|vulnerabilities|*|topologies|
Lack of understanding of applications
Research Challenges





[1]
What is a good system architecture for building
intrusion detection and response systems for
manets?
What are appropriate audit data sources?
How do we detect anomalies based on partial,
localized data– if they are the only reliable data
sources?
What is a good model of activities in a manet that
can separate anomaly when under attacks from the
normalcy?
Can we improve routing, zero-conf protocols to
support intrusion detection systems?
Proposed Solution
Anomaly Detection In General
Data
Features
1.
2.
3.
4.
5.
6.
A Learning
Algorithm
Pick a learning algorithm
Pick some features
Train the algorithm
Test the algorithm
Tune the algorithm, features
Go to 3
Results
Anomaly Detection on Manets

Arguments for Anomaly Detection on Manets





One too many signatures to maintain for a misuse detection systems
Keeping the signatures up to date is a bigger problem
Lack of centralized management and monitoring points makes policy
based systems difficult and also policies among communities may be
incompatible
Specification based systems may work but no one tried it, AFAIK
Arguments Against Anomaly Detection on Manets




There may not be a clear separation between normalcy and anomaly (e.g.
emission of false routing information)
There may not be enough data for anomaly detection systems (e.g.
disconnected operations, lack of communication in general)
Processing, memory requirements for anomaly detection are relatively
high and nodes may not be able to cope up with the requirements
Hasn’t proven itself useful in fixed networks (IMHO)
Proposed System Architecture
local response
global response
local detection
engine
global detection
engine
local data
collection
secure
communication
system calls, communications
activities etc.
neighboring
IDS agents
Anomaly Detection on Manets

The Goal



Find most useful (features, algorithm) for anomaly
detection on manets and using feedback alter routing
algorithms to better support anomaly detection
Results in best combination of (routing, features, model)
The Process
1.
2.
3.
4.
5.
Choose a routing algorithm
Choose some features
Choose a modeling algorithm
Train, test detection model and refine features
Feedback to alter the routing algorithm
Proposed Process





PCR= Percentage of Changed Routes
PCH= Percentage of Changes of sum of Hops of all routes
Training process simulate diversity of normal situations and
trace data is gathered
A detection model trained on this data can work on any node
Computing the normal profile





Denote PCR the class
Also, denote distance, direction, velocity, and PCH the features
Use n classes to represent the PCR ranges
Apply a classification algorithm to learn a classifier for PCR
Repeat the process to learn a classifier for PCH
Classification Algorithm


Given a set of features describing a concept
classification algorithms output classification rules
(a.k.a classifier)
For example, when using PCR, given the features
output would be:
if(distance < 0.5 && velocity < 3) PCR = 2
else if (velocity > 5 && PCH < 10) PCR = 6

Confidence = (|condition && conclusion|)
(|condition|)

Classification rule set of PCR, PCH together forms
the normal profile of the manet
Process of Anomaly Detection

Training & Testing
1.
2.
3.
4.
5.
6.


Feed the trace data to classification algorithm
Compute confidence for all classification rules
Compute PCR, PCH deviation scores PCRD, PCHD
Assign classes {normal, abnormal} for (PCHD, PCRD)
Use a classification/clustering algorithm on (PCHD, PCRD,
Class) to compute a classifier
Refine the models
Deviation (PCRD, PCHD) is measured by the
confidence value of violated classification rule
Combination of classification algorithms (2,5) is
used on hosts for anomaly detection
Process of Anomaly Detection
Distance
Direction
Velocity
PCR
PCH
0.01
S
0.1
20
15
10
S
20
80
50
0.02
N
0.1
0
0
…
…
…
…
…
PCRD
PCHD
Class
0.0
0.0
Normal
0.1
0.0
0.2
Classification
Algorithm
Classification Rules
Conclusion
Confidence
if(distance > 0.5 && velocity < 3)
PCH = 2
0.0
Normal
else if(velocity > 5 && direction = N )
PCR = 5
0.1
0.2
Normal
else if (velocity > 5 && PCR = 20)
PCH = 9
0.34
0.9
0.5
Abnormal
else if (distance > 3.4 && velocity > 9)
PCR = 4
0.87
0.3
0.1
Normal
Detection Model
Classification/
Clustering
Algorithm
Classification Rules
if(PCHD < 0.5 && PCHD > 0.2)
Conclusion
Normal
else if(PCHD > 0.5 && PCHD < 0.8 )
Abnormal
else if (PCRD < 0.5 && PCRD > 0.0)
Normal
else if (PCRD > 0.8)
Abnormal
Multi-Layer Integrated IDS

An obvious next step
Conclusion



Discussed a common process for anomaly
detection on manets
Discussed an architecture for the system
Anyone interested in furthering this work:
1.
2.
3.
4.
5.
Find realistic data set (DNE)
Brainstorm for proper feature set
Pick a learning algorithm (lots of tools)
And the 3T’s (train, test, tune)
Just don’t over fit or over tune
References
1.
2.
3.
4.
5.
Intrusion Detection in Wireless Ad-Hoc Networks, Zhang,
Yongguang, Lee, Wenke, MobiCom 2000
Security in Ad-Hoc Networks: A General Intrusion
Detection Architecture Enhancing Trust Based
Approaches, Albers, Patrick, Camp, Olivier et. al., International
Workshop on Wireless Information Systems 2002
RFC2460, IETF Standards Document 1998
RFC2051, IETF Draft Document 2000
Zero Configuration Networking, Internet Draft 2002
Homework
1.
2.
List at least 5 properties of manets that
accentuate security vulnerabilities and
explain how they impact security with
examples.
List a set of features and how they can be
used for anomaly detection on manets based
on following protocols:
1.
2.
3.

DSDV
DSR
AODV
Due 29th October?
FIN
Questions, Comments, Concerns…