• 260 likes • 413 Views
A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks. Adrian P. Lauf , Richard A. Peters and William H. Robinson. April 2-3, 2008. Outline. Motivation Methods Results Application to SCADA. April 2-3, 2008. Outline. Motivation Methods Results
E N D
A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks Adrian P. Lauf, Richard A. Peters and William H. Robinson April 2-3, 2008
Outline • Motivation • Methods • Results • Application to SCADA "A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson April 2-3, 2008
Outline • Motivation • Methods • Results • Application to SCADA "A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson April 2-3, 2008
What is HybrIDS? • Hybrid, Distributed, Embedd-able IDS: (HybrIDS) • Identify deviant activity on ad-hoc network • Distributed implementation strategy • Utilize multiple detection strategies • Zero-knowledge phase • Calibration-based phase • Function on resource-constrained devices • Integrate with SCADA (Supervisory Control And Data Acquisition) networks "A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson April 2-3, 2008
Why HybrIDS for SCADA? • SCADA implementations are becoming increasingly less localized • Wireless and IP-based networks present a significant security vulnerability • Sensor/Actuator nodes have no inherent security built in • Designed with scalability in mind "A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson April 2-3, 2008
Why is HybrIDS different? • It is decentralized • Reduce dependence on a single system • Reduce power consumption • Reduce compute-intensive operations • Allows for group consensus decisions • Each unit maintains a model of the world • Reduces chance of tampering with a centralized system • It is resource constrained • Runs well on embedded Linux platforms • It is portable • Uses abstraction to eliminate context exclusivity • Coded in Java for enhanced portability • It is adaptable • HybrIDS can abstract many ad-hoc network scenarios: • Autonomous aircraft networks and avionic protocols (ADS-B) • Swarm-based microrobotics • Self-contained sensor nodes "A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson April 2-3, 2008
What can HybrIDS do? • Identify single or multiple anomalies on an ad-hoc network • Adaptable to various attack configurations • DOS • Timed attacks • Command injection • Network disruption • Locate deviant nodes with zero prior knowledge of system architecture • Adapt to system changes in a scalable manner "A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson April 2-3, 2008
Outline • Motivation • Methods • Results • Application to SCADA "A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson April 2-3, 2008
Simplifying by Abstraction • Node interactions classified by labels • Interaction histories recorded • Each node maintains action histories from its point of view • Abstraction permits context independence • Applicable to any system using predetermined actions April 2-3, 2008
Why a hybrid approach? • Phase 1 requires no training data • Can isolate a single anomaly • Phase 2 requires training data • Can detect multiple anomalies • More flexible to system changes Phase 1 Phase 2 Time Progression April 2-3, 2008
Detection Method: Maxima Analysis: Setup Labels • Histograms formed for each connected node • Node A will track B, C, and D. • Average system behavior obtained by averaging across observed nodes • Bins correspond to action labels • Data must be normalized to a distribution • E.g. Gaussian, Chi2 Nodes . . . . . Σ/(n-1) Avg. behavioral PDF for system April 2-3, 2008
Maxima Detection Algorithm • Resultant vector yields approximate PDF • Find global maximum, exclude it • Identify, mark local maxima • Local maximum yields likely intrusion-motivated behaviors • Reverse-map this label to node with most frequent occurrence April 2-3, 2008
Detection Method: Cross-correlation Labels Nodes . . . . . Σ/(n-1) Average PDF = Score 13 April 2-3, 2008
Score Analysis • Average score is computed • Each score is compared to the average • Deviance determined by a threshold Suspected Deviant Node Mean Score Line Threshold Setting Score Threshold Bounds Node Number April 2-3, 2008
Threshold Requirements • Threshold varies for each scenario • Representative of a percentage deviation required for suspicion of a node • Variability of thresholds is a weakness of CCIDS • Can cause generation of false positives • Reduced by selecting proper threshold • Minimal baseline threshold is possible – system may never converge April 2-3, 2008
Required Thresholds for Proper Detection (CCIDS) • Deviant node pervasion yields linear change in threshold • Number of nodes has negligible impact on threshold requirements • 0.2 represents 100% deviation in this figure • Detects only nodes that vary significantly • 0.02 represents a 10% deviation • More sensitive to smaller node deviations April 2-3, 2008
Selecting Detection Phases HybridState object determines if transition point has been reached If one of the results from CCIDS matches a suspected node from MDS, a match is considered found April 2-3, 2008
Transitioning between phases • Increasing the deviant node pervasion requires more tuning cycles • Threshold adjusted once per tuning cycle • Figure represents an average for all node sizes • # transition cycles is independent of node cluster size April 2-3, 2008
HybrIDS Implementation • Implemented in Java 5 (1.5) • Introduces Code Portability • ARM9 development board target • 2.73 KB memory footprint for a 35-agent system with 10 behaviors • MDS and CCIDS use a shared data structure • Storage footprint less than 46 KB • Flexible interface implementation • TCP/UDP for network interface • Disk-based access for simulation • RS-232/Serial interface possible April 2-3, 2008
Outline • Motivation • Methods • Results • Application to SCADA "A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson April 2-3, 2008
Analysis of HybrIDS Performance • HybrIDS can reliably detect deviant nodes upto 22% pervasion • 25% pervasion and up removes element of determinacy • Scalability by percentage pervasion • Number of nodes in cluster does not affect scalability concerns • Graph includes total time – MDS, transition and CCIDS cycles April 2-3, 2008
Operational Footprint • HybrIDS with its JVM uses 5MB of application memory (Linux 2.6.22) • Maximum power requirement is 5 watts + idle power of ARM9 platform "A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson April 2-3, 2008
Outline • Motivation • Methods • Results • Application to SCADA "A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson April 2-3, 2008
HybrIDS and SCADA • HybrIDS is optimized for homogeneous ad-hoc networks • While heterogenous, SCADA contains homogeneous components that can exploit HybrIDS’s potential • HybrIDS can operate on RTU nodes within SCADA infrastructure "A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson April 2-3, 2008
HybrIDS and SCADA (cont’d) • SCADA is migrating increasingly to vulnerable network infrastructures • WAN • WLAN • HybrIDS can be used to detect attack methods on these networks • DDOS and packet drops alter interaction request frequencies • Targeting of a specific node is easily detected by multiple HybrIDS-enabled nodes "A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson April 2-3, 2008
Conclusion • HybrIDS provides a flexible IDS framework for ad-hoc networks • Distributed nature allows for seamless integration and reliability • Can easily integrate into existing frameworks, such as SCADA • Offers scalable performance for multiple anomaly detection ARM9 Development Platform "A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson April 2-3, 2008