140 likes | 321 Views
Evaluating the Usefulness of Watchdogs fo r Intrusion D etection in VANETs. Written by: Jorge Hortelano , Juan Carlos Ruiz, & Pietro Manzoni. Presented by: Denise Blady , John Gerber, & Eric Lehner. VANETs – Vehicular Ad Hoc Networks.
E N D
Evaluating the Usefulness of Watchdogs for Intrusion Detection in VANETs Written by: Jorge Hortelano, Juan Carlos Ruiz, & PietroManzoni Presented by: Denise Blady, John Gerber, &Eric Lehner
VANETs – Vehicular Ad Hoc Networks VANETs include vehicle-vehicle and roadside-vehicle networks. Many applications of the system are governmental, but they are being more frequently implemented into modern cars for better performance, or in some cases full automation. Used For: • In – board safety systems • real-time congestion and routing information • high-speed tolling and more...
Motivation • Ad-Hoc networks must be robust to both changes in topology and malicious attacks. • Strong security has been considered optional in current protocol specifications • Many protocols assume NO malicious nodes – one attacking node can cause the whole network to fail!
Attacks • Basic Plan: manipulate the sensitive information used among nodes to establish communication routes • External attacks: Injecting erroneous routing info, replaying old routing info, distorting routing info • Internal attacks: Malicious nodes via misuse of routing info, induce service failures • Temporal attacks: nodes that exhibit malicious behavior for a short time
Routing Attacks Routing-disruption attacks are one of the main attacks performed on an ad hoc network. Can be categorized as two types: • Malicious: blackholes (dropped packets), inserting loops/cycles to drain resource, greyholes (drop select packets). • Selfish: Improves its own communications, no intent of directly damaging other nodes. Uses the network but doesn’t help or cooperate with other nodes. (project)
Proposed Solution • Utilize a “watchdog” component in an IDS • Design, Implement, and Evaluate a real “watchdog” component that is: • Tested in a real network • Examined for tradeoffs between latency and ability to accurately detect attacks • Portable between different network protocols and hardware platforms
Watchdog Theory • Main Idea: A watchdog is an IDS mechanism that listens to the packets traversing its neighborhood and monitors activity. • Uses collected info in promiscuous mode to detect selfish/malicious nodes • Many use this idea, but act on the collected info differently • CON: Accuracy limited due to node mobility &collisions
Watchdog Life Cycle • Read all the packets (promiscuous mode) • Define its neighborhood (IP/MAC addresses) • Detect an attacker • Utilizes resource saving (deleting old info) • Enter sleep mode randomly (saving energy)
Watchdog Packet Processing • Receive a packet • If the IP address is unknown, add node as a new neighbor • Determine if the packet should be forwarded • If the packet should be forwarded, it is kept in a buffer until it’s sent to the next hop • After the packet is forwarded, it is removed from the buffer and counts positively towards the neighbor trust value of the node that forwarded it • If the packet is not forwarded within a certain time frame, it is consider lost and counts negatively against the neighbor trust value of the node that didn’t forward it
Detection Approach To detect malicious behavior, the watchdog: • listens to all network traffic • calculates the ratio (for each neighboring node) of packets that were received for forwarding, and packets that were actually forwarded • ratio is called neighbor trust level • Ideal trust level is 1 (or 100%) but that is not achieved in practice due to collisions and noise • An untrusted node has a ratio < 1 • How do we distinguish from real attacks? Threshold.
Minimizing false watchdog detections • Utilizes a tolerance threshold, where a node is malicious if the degree of packet loss of a node exceeds the threshold • For example, a tolerance threshold of .07 indicates that less than 7% loss is acceptable behavior • An alert is generated when the trust level of a particular node is less than (1 - tolerance threshold) What about false negatives? • Uses devaluation – older packets have decreased weight when calculating trust level • This fights temporal attacks
Simulation Setup 5 total nodes (A,B,C,D,M) Runs an Ekiga client (VoIP app) on A and D M, the malicious node, runs on a fifth access point (AP) B and C act as APs M performs blackhole attacks on VoIP packets, so as to interrupt transmission of the call. Tested with routing protocols OLSR and AODV.
Evaluation of Simulation Results • False positives • Greater the noise, the higher the tolerance threshold needs to be • AODV requires a smaller threshold than OLSR • False negatives • Using devaluation with the previous 10000 packets or greater greatly decreases false negatives and detection time.
Comments • A more realistic experimental setup would have increased the usefulness of the results. (more nodes?) • How does it handle hidden node problem. (how many nodes, and where should they be placed, to solve this issue?) • Monitor to see if the neighbor is dropping packets indiscriminately or just packets forwarded to a specific set of nodes – could be useful to decide which nodes are getting an advantage, as they may themselves be malicious • Packet timeout value – how does this affect false readings?¿