150 likes | 362 Views
Vehicular Ad Hoc Networks Intrusion Detection System Based on BUSNet. Acknowledgement A significant amount of material used here is taken from the research paper by Tian Daxin ; Yunpeng Wang; Guangquan Lu; Guizhen Yu , "A vehicular ad hoc networks intrusion detection system based on BUSNet
E N D
Vehicular Ad Hoc Networks Intrusion Detection System Based on BUSNet Acknowledgement A significant amount of material used here is taken from the research paper by Tian Daxin; Yunpeng Wang; Guangquan Lu; Guizhen Yu , "A vehicular ad hoc networks intrusion detection system based on BUSNet Prepared by- Akshay Vishwanathan Varun Sharma Shuchi Bajpai
Introduction • Vehicular Ad Hoc Networks (VANET) is gaining a lot of attention. • Security a major challenge due to open wireless medium and dynamic topology • No centralized administration or control methods due to mobile nodes. • Some efforts made to secure MANET such as Secure Efficient Adhoc Distance routing protocol (SEAD) • They still cannot eliminate all attacks especially internal or insider attacks. • Intrusion prevention methods like authentication and encryption cannot eliminate them. • Intrusion Detection is an effective second wall of defense tool for determining whether unauthorized users are attempting to access have already accessed or have compromised the network. • Dynamic topology and mobility introduces additional difficulty in setting up intrusion detection system. • This paper presents a novel Intrusion detection architecture and anomaly detection method based on BUSNet.
BusNet • The main properties of our method include • Intrusion detection architecture is hierarchical • Bus nodes used to gather data • Complex Cluster-head algorithm not required to choose the cluster-head • Neural network used to study the normal behavior of the network • No expert knowledge required for anomaly detection
Related Works • Some attack methods have been discussed and implemented in MANETs : • Wormhole Attack : • Establishes direct link between 2 nodes • Attacker eavesdrops messages at one end • Tunnels them through wormhole link and replays them at the other end. • Attackers can potentially disrupt routing or selectively drop packets. • Sybil Attack : • Launched by forging multiple identities. • Attacker inserts bogus information into the network • Denial of Service (DoS) attack : • Injecting unusually large amount of control or data packets into the network. • Intrusion detection still needed as these do not deter attacks completely. • 2 Detection methods : • Monitoring based : Using watchdog to detect the misbehaving nodes and Pathrater method to help routing protocols avoid these nodes.
Related Works (Contd.) • Pathrater run by each node in the network combines knowledge of misbehaving nodes with link reliability data to pick the route most likely to be reliable. • CONFIDANT (Cooperation Of Nodes, Fairness In Dynamic Ad-hoc Networks) • Similar to Watchdog and Pathrater, • Nodes get info about their neighboring nodes only that are within its radio range and learns from them. • When one node finds one misbehavior node, it will send alarm message to • its trusted nodes. • CORE • Based on a monitoring system and a reputation system. Like CONFIDANT, it monitors the nodes behavior, and each node can receive a report from other nodes. • CORE allows only positive reports to be passed, there is no chance for a node to maliciously spread negative information about other nodes. • Simple DoS is prevented.
Related Works (Contd.) CLUSTERING: • Promising approach of enhancing the scalability in the face of frequently changed topology. • Network is logically divided into cluster of nodes, each with a cluster-head. Nodes within a cluster elect a cluster-head where the detection and monitoring agent are installed. Agent monitors packets sent by every member of its cluster. • To maintain communication efficiency, cluster heads are selected based on topology, connectivity, proximity etc. UAV-MBN Networks • Three layers composed of three kinds of networking units with heterogeneous communication capability and computation power, the regular Ground Mobile Nodes, the Ground Mobile Backbone (MBN) Nodes, and the Unmanned Aerial Vehicle (UAV) nodes. • MBN nodes act as cluster-heads. • Nodes are categorized into 2 types. Intrazone and interzone based on simple geographic partition or cluster algorithms.
Intrusion Detection Based on the BUSNet BUSNet & BAS are projects initiated to develop a system that would connect all the public service buses as nodes in an ad hoc network and use this network to provide a wide range of services for commuters. • BUSNet is a virtual mobile backbone infrastructure that is constructed using public buses. • As shown in figure, the first layer is normal vehicles in the VANETs The second layer is buses, the third layer is road side communication infrastructures, such as access points.
Intrusion Detection Techniques Classified into two categories: 1. Misuse Detection 2. Anomaly Detection. Misuse Detection • Misuse detection looks for signatures of known attacks. Any matched activity is considered an attack. Examples : STAT and IDIOT (Intrusion Detection In Our Time). • Misuse detection can detect known attacks effectively. • Though it usually cannot accommodate unknown attacks. Anomaly Detection • Anomaly detection models a user’s behaviors, and any significant deviation from the normal behaviors is considered the result of an attack. • It can be effective against unknown or novel attacks since no prior knowledge about specific intrusions is required. • Anomaly detection systems tend to generate more false alarms than misuse detection systems
Anomaly Detection System is Divided into 3 Main Parts: • Feature Selection • Model of Normal Behavior • Comparison Feature Selection Feature selection is a critical part in building normal behavior model and performing comparison. Model of Normal Behavior We use machine learning techniques to come up with a model for normal behavior. Comparison Comparison is made between existing characteristics of normal behavior with any abnormal behavior to look for distinctions.
Experiments • The experiment objective is to determine the performance characteristics and effectiveness of the method . • The experiments are conducted in network simulator NS2.33. It includes simulation for wireless ad-hoc network infrastructure, popular wireless ad-hoc routing protocols (DSR, DSDV, AODV), and mobility scenario and traffic pattern generation. • Simulation is based on the table shown below . • The behavioral features of network are obtained from trace file using awk program. • First we get the packet delivery rate which characterizes both the completeness and correctness of routing protocol • Under the same scenario the delivery rate or ratio of AODV,DSDV and DSR is shown below
Continued • After the network is stable, we detect anomaly behavior. • To test the method in same scenario we perform denial of service attack. • When attack appeared ,the delivery ratio of AODV,DSR and DSDV is shown below • When attack is happening the delivery ratio is very low
Continued • The anomaly intrusion method cannot classify the type of intrusion. • If the behavioral value is greater than the threshold value than we believe intrusion happened • In the experiment we analyzed the effect of varying the value of intrusion threshold to system error. • The neural network training and detection result of AODV,DSDV and DSR are shown below. 120,80-100,260-280
Continued • The detection error on AODV,DSR and DSDV are shown below. • The performance of the threshold is sensitive according to intrusion threshold. • When threshold value increases ,false negative error increases while positive error decreases . • False negative error is more important in IDS, therefore we need to concentrate on the decrease of false negative errors with the change of the threshold value. • The optimal threshold value for AODV, DSDV, and DSR is 0.2.
Conclusion • Authentication and encryption are the first line of defense. • IDS would help determine whether unauthorized users are attempting to access have already accessed or have compromised the network. • The main character of the BUSNet method is hierarchical anomaly detection. Based on mobile bus agents. • The performance of the method is optimal when threshold is 0.2 irrespective of the routing protocol used.
References • Tian, Daxin; Yunpeng Wang; Guangquan Lu; Guizhen Yu, "A vehicular ad hoc networks intrusion detection system based on BUSNet," Future Computer and Communication (ICFCC), 2010 2nd International Conference on, vol.1, no., pp.V1-225,V1-229, 21-24 May 2010.