1 / 26

A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks

A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks. Adrian P. Lauf , Richard A. Peters and William H. Robinson. April 2-3, 2008. Outline. Motivation Methods Results Application to SCADA. April 2-3, 2008. Outline. Motivation Methods Results

marlee
Download Presentation

A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks Adrian P. Lauf, Richard A. Peters and William H. Robinson April 2-3, 2008

  2. Outline • Motivation • Methods • Results • Application to SCADA "A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson April 2-3, 2008

  3. Outline • Motivation • Methods • Results • Application to SCADA "A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson April 2-3, 2008

  4. What is HybrIDS? • Hybrid, Distributed, Embedd-able IDS: (HybrIDS) • Identify deviant activity on ad-hoc network • Distributed implementation strategy • Utilize multiple detection strategies • Zero-knowledge phase • Calibration-based phase • Function on resource-constrained devices • Integrate with SCADA (Supervisory Control And Data Acquisition) networks "A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson April 2-3, 2008

  5. Why HybrIDS for SCADA? • SCADA implementations are becoming increasingly less localized • Wireless and IP-based networks present a significant security vulnerability • Sensor/Actuator nodes have no inherent security built in • Designed with scalability in mind "A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson April 2-3, 2008

  6. Why is HybrIDS different? • It is decentralized • Reduce dependence on a single system • Reduce power consumption • Reduce compute-intensive operations • Allows for group consensus decisions • Each unit maintains a model of the world • Reduces chance of tampering with a centralized system • It is resource constrained • Runs well on embedded Linux platforms • It is portable • Uses abstraction to eliminate context exclusivity • Coded in Java for enhanced portability • It is adaptable • HybrIDS can abstract many ad-hoc network scenarios: • Autonomous aircraft networks and avionic protocols (ADS-B) • Swarm-based microrobotics • Self-contained sensor nodes "A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson April 2-3, 2008

  7. What can HybrIDS do? • Identify single or multiple anomalies on an ad-hoc network • Adaptable to various attack configurations • DOS • Timed attacks • Command injection • Network disruption • Locate deviant nodes with zero prior knowledge of system architecture • Adapt to system changes in a scalable manner "A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson April 2-3, 2008

  8. Outline • Motivation • Methods • Results • Application to SCADA "A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson April 2-3, 2008

  9. Simplifying by Abstraction • Node interactions classified by labels • Interaction histories recorded • Each node maintains action histories from its point of view • Abstraction permits context independence • Applicable to any system using predetermined actions April 2-3, 2008

  10. Why a hybrid approach? • Phase 1 requires no training data • Can isolate a single anomaly • Phase 2 requires training data • Can detect multiple anomalies • More flexible to system changes Phase 1 Phase 2 Time Progression April 2-3, 2008

  11. Detection Method: Maxima Analysis: Setup Labels • Histograms formed for each connected node • Node A will track B, C, and D. • Average system behavior obtained by averaging across observed nodes • Bins correspond to action labels • Data must be normalized to a distribution • E.g. Gaussian, Chi2 Nodes . . . . . Σ/(n-1) Avg. behavioral PDF for system April 2-3, 2008

  12. Maxima Detection Algorithm • Resultant vector yields approximate PDF • Find global maximum, exclude it • Identify, mark local maxima • Local maximum yields likely intrusion-motivated behaviors • Reverse-map this label to node with most frequent occurrence April 2-3, 2008

  13. Detection Method: Cross-correlation Labels Nodes . . . . . Σ/(n-1) Average PDF = Score 13 April 2-3, 2008

  14. Score Analysis • Average score is computed • Each score is compared to the average • Deviance determined by a threshold Suspected Deviant Node Mean Score Line Threshold Setting Score Threshold Bounds Node Number April 2-3, 2008

  15. Threshold Requirements • Threshold varies for each scenario • Representative of a percentage deviation required for suspicion of a node • Variability of thresholds is a weakness of CCIDS • Can cause generation of false positives • Reduced by selecting proper threshold • Minimal baseline threshold is possible – system may never converge April 2-3, 2008

  16. Required Thresholds for Proper Detection (CCIDS) • Deviant node pervasion yields linear change in threshold • Number of nodes has negligible impact on threshold requirements • 0.2 represents 100% deviation in this figure • Detects only nodes that vary significantly • 0.02 represents a 10% deviation • More sensitive to smaller node deviations April 2-3, 2008

  17. Selecting Detection Phases HybridState object determines if transition point has been reached If one of the results from CCIDS matches a suspected node from MDS, a match is considered found April 2-3, 2008

  18. Transitioning between phases • Increasing the deviant node pervasion requires more tuning cycles • Threshold adjusted once per tuning cycle • Figure represents an average for all node sizes • # transition cycles is independent of node cluster size April 2-3, 2008

  19. HybrIDS Implementation • Implemented in Java 5 (1.5) • Introduces Code Portability • ARM9 development board target • 2.73 KB memory footprint for a 35-agent system with 10 behaviors • MDS and CCIDS use a shared data structure • Storage footprint less than 46 KB • Flexible interface implementation • TCP/UDP for network interface • Disk-based access for simulation • RS-232/Serial interface possible April 2-3, 2008

  20. Outline • Motivation • Methods • Results • Application to SCADA "A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson April 2-3, 2008

  21. Analysis of HybrIDS Performance • HybrIDS can reliably detect deviant nodes upto 22% pervasion • 25% pervasion and up removes element of determinacy • Scalability by percentage pervasion • Number of nodes in cluster does not affect scalability concerns • Graph includes total time – MDS, transition and CCIDS cycles April 2-3, 2008

  22. Operational Footprint • HybrIDS with its JVM uses 5MB of application memory (Linux 2.6.22) • Maximum power requirement is 5 watts + idle power of ARM9 platform "A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson April 2-3, 2008

  23. Outline • Motivation • Methods • Results • Application to SCADA "A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson April 2-3, 2008

  24. HybrIDS and SCADA • HybrIDS is optimized for homogeneous ad-hoc networks • While heterogenous, SCADA contains homogeneous components that can exploit HybrIDS’s potential • HybrIDS can operate on RTU nodes within SCADA infrastructure "A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson April 2-3, 2008

  25. HybrIDS and SCADA (cont’d) • SCADA is migrating increasingly to vulnerable network infrastructures • WAN • WLAN • HybrIDS can be used to detect attack methods on these networks • DDOS and packet drops alter interaction request frequencies • Targeting of a specific node is easily detected by multiple HybrIDS-enabled nodes "A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson April 2-3, 2008

  26. Conclusion • HybrIDS provides a flexible IDS framework for ad-hoc networks • Distributed nature allows for seamless integration and reliability • Can easily integrate into existing frameworks, such as SCADA • Offers scalable performance for multiple anomaly detection ARM9 Development Platform "A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson April 2-3, 2008

More Related