220 likes | 487 Views
Intrusion Detection on Manets. Kulesh Shanmugasundaram kulesh@cis.poly.edu. SYN. SYN Overview of Manets Overview of IDS Problems of Current Techniques Research Challenges Proposed Solutions Conclusion FIN. Manets. How Ad-Hoc is Ad-Hoc? No, really? Mechanics of Manets
E N D
Intrusion Detection on Manets Kulesh Shanmugasundaram kulesh@cis.poly.edu
SYN • SYN • Overview of Manets • Overview of IDS • Problems of Current Techniques • Research Challenges • Proposed Solutions • Conclusion • FIN
Manets • How Ad-Hoc is Ad-Hoc? • No, really? • Mechanics of Manets • Auto-configuration (zeroconf, ipng) • Nodes should be able to configure themselves when they join a “community” (e.g. choosing names, locating services) • Mechanics of configuration should be transparent to applications • Routing (manet) • Table driven vs. on-demand algorithms • Performance depend on topology, density, size, mobility etc. • So, it is hard to agree upon a standard • Applications • We really don’t know • Security (manet) • Security of operations (e.g. integrity of routing mechanisms etc.) • Physical security of nodes (e.g. lost devices, tampering etc.) • Who is the weakest link? (network is as secure as the weakest link)
Vulnerabilities of Manets • Vulnerabilities accentuated by manet context • Access Control • Lack of physical boundary/packet boundary • Shared, open broadcast medium • E.g. IP masquerading, passive eavesdropping, DoS • Vulnerabilities specific to manets • Trust • Lack of trust in the underlying infrastructure • Collaborative participation of networks is mandatory for routing and auto-configuration • E.g. Refusal of Service (RoS), Emission of false information, Sleep-deprivation torture, DoS on MAC, DAD • Homework • List at least 5 properties of manets that accentuate security vulnerabilities? • Explain how they impact security, with examples.
Intrusion Detection Systems • Attempts to detect intrusions on autonomous systems e.g: computer networks • Based on Deployment • Host Based (HIDS) (e.g. ZoneAlarm) • Uses hosts’ audit logs & visible traffic for intrusion detection • Network Based (NIDS) (e.g. NFR) • Uses substantial network traffic for intrusion detection • Based on Techniques • Anomaly Detection (e.g. use of normal profile) • Misuse Detection (e.g. use of attack signatures) • Specification Based (e.g. monitor invariants for violations) • Policy Based (e.g. monitor policy violations)
Requirements of an IDS on Manets • Not introduce a new weakness • Anomaly detection system itself should not make the node weaker than it already is (e.g. listening in promiscuous mode) • Need little system resources • In general nodes on manets have stringent requirements on resources (e.g. may not be able to run complex detection algorithms) • Have proper response for detections • An IDS should not only detect but also should response to the detected intrusions, preferably without human intervention (e.g. modify firewall to avoid attacking hosts etc.) • Be reliable • Fewer false positives, as there is no extensive crisis control infrastructure to handle alarms • Interoperable with other IDS • Be able to collaborate with other nodes for detection or response (e.g. use standards )
Problems of Current Techniques • Lack of traffic convergence points • Prohibits the use of NIDS, Firewalls, Policies etc. • Lack of available data at hosts • ID algorithms have to work with “partial and localized information” in and around the radio range of hosts • Lack of communication among nodes • Disconnected operations • Location dependent computing • Lack of standards • Lack of protocol standards • |signatures|=|protocols|*|vulnerabilities|*|topologies| • Lack of understanding of applications
Research Challenges[1] • What is a good system architecture for building intrusion detection and response systems for manets? • What are appropriate audit data sources? • How do we detect anomalies based on partial, localized data– if they are the only reliable data sources? • What is a good model of activities in a manet that can separate anomaly when under attacks from the normalcy? • Can we improve routing, zero-conf protocols to support intrusion detection systems?
Features A Learning Algorithm Results Data Anomaly Detection In General • Pick a learning algorithm • Pick some features • Train the algorithm • Test the algorithm • Tune the algorithm, features • Go to 3
Anomaly Detection on Manets • Arguments for Anomaly Detection on Manets • One too many signatures to maintain for a misuse detection systems • Keeping the signatures up to date is a bigger problem • Lack of centralized management and monitoring points makes policy based systems difficult and also policies among communities may be incompatible • Specification based systems may work but no one tried it, AFAIK • Arguments Against Anomaly Detection on Manets • There may not be a clear separation between normalcy and anomaly (e.g. emission of false routing information) • There may not be enough data for anomaly detection systems (e.g. disconnected operations, lack of communication in general) • Processing, memory requirements for anomaly detection are relatively high and nodes may not be able to cope up with the requirements • Hasn’t proven itself useful in fixed networks (IMHO)
local response global response local detectionengine global detection engine local datacollection secure communication system calls, communications activities etc. neighboringIDS agents Proposed System Architecture
Anomaly Detection on Manets • The Goal • Find most useful (features, algorithm) for anomaly detection on manets and using feedback alter routing algorithms to better support anomaly detection • Results in best combination of (routing, features, model) • The Process • Choose a routing algorithm • Choose some features • Choose a modeling algorithm • Train, test detection model and refine features • Feedback to alter the routing algorithm
Proposed Process • PCR= Percentage of Changed Routes • PCH= Percentage of Changes of sum of Hops of all routes • Training process simulate diversity of normal situations and trace data is gathered • A detection model trained on this data can work on any node • Computing the normal profile • Denote PCR the class • Also, denote distance, direction, velocity, and PCH the features • Use n classes to represent the PCR ranges • Apply a classification algorithm to learn a classifier for PCR • Repeat the process to learn a classifier for PCH
Classification Algorithm • Given a set of features describing a concept classification algorithms output classification rules (a.k.a classifier) • For example, when using PCR, given the features output would be: if(distance < 0.5 && velocity < 3) PCR = 2 else if (velocity > 5 && PCH < 10) PCR = 6 • Confidence = (|condition && conclusion|)(|condition|) • Classification rule set of PCR, PCH together forms the normal profile of the manet
Process of Anomaly Detection • Training & Testing • Feed the trace data to classification algorithm • Compute confidence for all classification rules • Compute PCR, PCH deviation scores PCRD, PCHD • Assign classes {normal, abnormal} for (PCHD, PCRD) • Use a classification/clustering algorithm on (PCHD, PCRD, Class) to compute a classifier • Refine the models • Deviation (PCRD, PCHD) is measured by the confidence value of violated classification rule • Combination of classification algorithms (2,5) is used on hosts for anomaly detection
Process of Anomaly Detection Classification Algorithm Detection Model Classification/ Clustering Algorithm
Multi-Layer Integrated IDS • An obvious next step
Conclusion • Discussed a common process for anomaly detection on manets • Discussed an architecture for the system • Anyone interested in furthering this work: • Find realistic data set (DNE) • Brainstorm for proper feature set • Pick a learning algorithm (lots of tools) • And the 3T’s (train, test, tune) • Just don’t over fit or over tune
References • Intrusion Detection in Wireless Ad-Hoc Networks, Zhang, Yongguang, Lee, Wenke, MobiCom 2000 • Security in Ad-Hoc Networks: A General Intrusion Detection Architecture Enhancing Trust Based Approaches, Albers, Patrick, Camp, Olivier et. al., International Workshop on Wireless Information Systems 2002 • RFC2460, IETF Standards Document 1998 • RFC2051, IETF Draft Document 2000 • Zero Configuration Networking, Internet Draft 2002
Homework • List at least 5 properties of manets that accentuate security vulnerabilities and explain how they impact security with examples. • List a set of features and how they can be used for anomaly detection on manets based on following protocols: • DSDV • DSR • AODV • Due 29th October?
FIN Questions, Comments, Concerns…