1 / 14

Evaluating the Usefulness of Watchdogs fo r Intrusion D etection in VANETs

Evaluating the Usefulness of Watchdogs fo r Intrusion D etection in VANETs. Written by: Jorge Hortelano , Juan Carlos Ruiz, & Pietro Manzoni. Presented by: Denise Blady , John Gerber, & Eric Lehner. VANETs – Vehicular Ad Hoc Networks.

abeni
Download Presentation

Evaluating the Usefulness of Watchdogs fo r Intrusion D etection in VANETs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Evaluating the Usefulness of Watchdogs for Intrusion Detection in VANETs Written by: Jorge Hortelano, Juan Carlos Ruiz, & PietroManzoni Presented by: Denise Blady, John Gerber, &Eric Lehner

  2. VANETs – Vehicular Ad Hoc Networks VANETs include vehicle-vehicle and roadside-vehicle networks. Many applications of the system are governmental, but they are being more frequently implemented into modern cars for better performance, or in some cases full automation. Used For: • In – board safety systems • real-time congestion and routing information • high-speed tolling and more...

  3. Motivation • Ad-Hoc networks must be robust to both changes in topology and malicious attacks. • Strong security has been considered optional in current protocol specifications • Many protocols assume NO malicious nodes – one attacking node can cause the whole network to fail!

  4. Attacks • Basic Plan: manipulate the sensitive information used among nodes to establish communication routes • External attacks: Injecting erroneous routing info, replaying old routing info, distorting routing info • Internal attacks: Malicious nodes via misuse of routing info, induce service failures • Temporal attacks: nodes that exhibit malicious behavior for a short time

  5. Routing Attacks Routing-disruption attacks are one of the main attacks performed on an ad hoc network. Can be categorized as two types: • Malicious: blackholes (dropped packets), inserting loops/cycles to drain resource, greyholes (drop select packets). • Selfish: Improves its own communications, no intent of directly damaging other nodes. Uses the network but doesn’t help or cooperate with other nodes. (project)

  6. Proposed Solution • Utilize a “watchdog” component in an IDS • Design, Implement, and Evaluate a real “watchdog” component that is: • Tested in a real network • Examined for tradeoffs between latency and ability to accurately detect attacks • Portable between different network protocols and hardware platforms

  7. Watchdog Theory • Main Idea: A watchdog is an IDS mechanism that listens to the packets traversing its neighborhood and monitors activity. • Uses collected info in promiscuous mode to detect selfish/malicious nodes • Many use this idea, but act on the collected info differently • CON: Accuracy limited due to node mobility &collisions

  8. Watchdog Life Cycle • Read all the packets (promiscuous mode) • Define its neighborhood (IP/MAC addresses) • Detect an attacker • Utilizes resource saving (deleting old info) • Enter sleep mode randomly (saving energy)

  9. Watchdog Packet Processing • Receive a packet • If the IP address is unknown, add node as a new neighbor • Determine if the packet should be forwarded • If the packet should be forwarded, it is kept in a buffer until it’s sent to the next hop • After the packet is forwarded, it is removed from the buffer and counts positively towards the neighbor trust value of the node that forwarded it • If the packet is not forwarded within a certain time frame, it is consider lost and counts negatively against the neighbor trust value of the node that didn’t forward it

  10. Detection Approach To detect malicious behavior, the watchdog: • listens to all network traffic • calculates the ratio (for each neighboring node) of packets that were received for forwarding, and packets that were actually forwarded • ratio is called neighbor trust level • Ideal trust level is 1 (or 100%) but that is not achieved in practice due to collisions and noise • An untrusted node has a ratio < 1 • How do we distinguish from real attacks? Threshold.

  11. Minimizing false watchdog detections • Utilizes a tolerance threshold, where a node is malicious if the degree of packet loss of a node exceeds the threshold • For example, a tolerance threshold of .07 indicates that less than 7% loss is acceptable behavior • An alert is generated when the trust level of a particular node is less than (1 - tolerance threshold) What about false negatives? • Uses devaluation – older packets have decreased weight when calculating trust level • This fights temporal attacks

  12. Simulation Setup 5 total nodes (A,B,C,D,M) Runs an Ekiga client (VoIP app) on A and D M, the malicious node, runs on a fifth access point (AP) B and C act as APs M performs blackhole attacks on VoIP packets, so as to interrupt transmission of the call. Tested with routing protocols OLSR and AODV.

  13. Evaluation of Simulation Results • False positives • Greater the noise, the higher the tolerance threshold needs to be • AODV requires a smaller threshold than OLSR • False negatives • Using devaluation with the previous 10000 packets or greater greatly decreases false negatives and detection time.

  14. Comments • A more realistic experimental setup would have increased the usefulness of the results. (more nodes?) • How does it handle hidden node problem. (how many nodes, and where should they be placed, to solve this issue?) • Monitor to see if the neighbor is dropping packets indiscriminately or just packets forwarded to a specific set of nodes – could be useful to decide which nodes are getting an advantage, as they may themselves be malicious • Packet timeout value – how does this affect false readings?¿

More Related