Challenges in Intrusion Detection for Wireless Adhoc Networks

1
Challenges in Intrusion Detection for Wireless
Ad-hoc Networks

• IEEE Workshop on Security and Assurance in Ad hoc
  Networks
• P. Brutch and C. Ko
• 2003/9/9
• Presented by Lee Soo Jin

2
Contents

• Introduction
• Limitations of IDS solutions
• Detection of Attacks
• Against the Routing Infrastructure
• Against Mobile Nodes
• Architectures for Wireless Ad-hoc Networks
• Example Anomaly-based approach
• Intrusion Response in Wireless Ad-hoc Networks
• Research Questions
• Conclusions

3
Introduction(1/3)

• Wireless Ad-hoc networks
• Are wireless, mobile and created on demand
• Do not rely on a pre-existing network
  infrastructure
• Are characterized by wireless multi-hop
  communication
• Have many operational limitations
• Transmission range and bandwidth
• Battery life
• CPU and memory

4
Introduction(2/3)

• The nature of wireless Ad-Hoc network makes them
  very vulnerable to an adversarys malicious
  attacks
• The use of wireless links renders a wireless
  Ad-Hoc network susceptibleto attacks
• Mobile nodes are autonomous units that are
  capable of roaming independently
• Decision making in ad-hoc networks is usually
  decentralized
• Many Ad-Hoc network algorithms rely on
  cooperative participation of all nodes
• System constraints in mobile devices may cause
  problems in availability.
• Low-power µ-processor, small memory and
  bandwidth, limited battery power
• Radio jamming, battery exhaustion attack

5
Introduction(3/3)

• Most Ad-Hoc routing protocols are cooperative in
  nature
• An adversary who hijacks an ad-hoc node could
  paralyze the entire wireless networks by
  disseminating false routing info
• False routing information could result in
  messages from all nodes being fed to the
  compromised node
• Intrusion prevention measures can be used in
  Ad-Hoc networks to reduce intrusions, but cannot
  eliminate them
• Cryptography will not protect against malicious
  inside node
• Intrusion detection mechanisms are necessary to
  detect Byzantine nodes

6
Limitations of IDS Solutions

• Ad-Hoc network does not have a fixed
  infrastructure
• No traffic concentration points where the IDS can
  collect audit data for the entire network
• Network topology is changes dynamically
• Difficult to rely on the existence of a
  centralized server to perform analysis and
  correlation
• Wireless communication
• The secure distribution of signatures may be
  difficult
• Poor physical security
• It may be difficult to physically secure a mobile
  host
• There may not be a clear separation between
  normalcy and anomaly in wireless ad-hoc networks

7
Detection of Attacks Against the Routing
Infrastructure(1/2)

• Solutions for fixed wired networks
• Distributed probing
• Directly sending to each router test packets that
  have a destination of therouter performing the
  diagnosis
• Principle of conservation flow
• WATCHERS runs on each router
• Provides the capability to detect bad routers
  that drop or misroute packets
• Statistical anomaly detection
• Used to detect known and unknown attacks against
  the routing infrastructure
• Short-term profile VS. Long-term profile
• OSPF packet volume, OSPF packet type, Link-state
  advertisement age
• Protocol analysis
• The behavior of a routing protocol may be
  monitored with respect toa state transition
  diagram that models the protocol states

8
Detection of Attacks Against the Routing
Infrastructure(2/2)

• Possible attacks for routing
• Route disruption
• Resource consumption
• Specific Attacks
• Location disclosure, Black hole, Replay attack,
  Wormhole
• Solutions for wireless Ad-hoc networks
• Watchdog
• Control messages
• Route Confirmation Request (CREQ), Route
  Confirmation Reply (CREP)
• Neighborhood watch
• CONFIDANT protocol
• Uses a reputation system that rates nodes based
  on malicious behavior
• Statistical anomaly detection

9
Detection of Attacks Against Mobile Nodes

• Each mobile node should run some types of
  node-based IDS
• Potential solution
• Anomaly or specification-based detection on the
  system call
• Anomaly detection
• May be used to detect attacks against a network
  deamon or a setuserid(SUID) program
• Normal profile must be periodically updated
• Calculating deviations from the normal profile
  may impose a heavy load
• Specification-based detection
• Generated system calls are compared against a set
  of pre-definedconstraints
• Can be pre-loaded on mobile nodes prior to
  deployment to the field
• Should not require any periodic updates in order
  to effective

10
Architectures(1/3)

• Stand-alone IDS architecture
• Each host runs an IDS that independently detects
  attacks
• Do not cooperate or share information with other
  system
• Watchdog mechanism
• Distributed and Cooperative IDS architecture
• Every node independently make local intrusion
  detection decisions
• Cooperatively participate in global intrusion
  detection
• Difficult to derive a distributed consensus
• CONFIDANT protocol
• Nodes cooperate and share alarm messages with
  other nodes
• Alarm messages are evaluated based on their
  trustworthness
• Hierarchical IDS architecture
• Suitable for multi-layered, wireless ad-hoc
  networks
• Threshold cryptography

11
Architectures(2/3)

• Example Distributed and Cooperative IDS
  architecture

12
Architectures(3/3)

• Example Distributed and Cooperative IDS
  architecture

13
Anomaly-based Approach YZWL00 (1/2)

• Detecting abnormal updates to routing tables
• Main concern
• Define the trace data to describe the normal
  updates of routing information
• Use data on the nodes physical movements and the
  corresponding change in its routing as the basis
  of the trace data
• Physical movements
• Distance, Direction, Velocity
• Routing table change
• PCR Percentage of Changed Routes
• PCH Percentage of Changes in the sum of Hops

14
Anomaly-based ApproachYZWL00 (2/2)
trace data
Training Process
Single Data Set
Test Process
Classification
If (distance0.01 and PCH 20) then PCR2 Else
if
Normal Profiles
DeviationData
Classification Rules
Compute deviation
PCR PCH
Class
0.0 0.0 normal
0.0 0.1 normal
Activities
Normal or Abnormal ?
0.2 0.2 normal
0.5 0.9 abnormal

15
Intrusion Response

• Re-authentication
• End users re-authenticate themselves using an
  out-of-bound mechanism
• Negotiate a new communication channel to exclude
  compromised nodes
• Path manager function of the CONFIDANT protocol
• Delete path containing malicious node
• Choose not to forward packets for nodes that have
  bad ratings
• Hierarchical approach
• Centralized certification counter-certification
• Only packets for authenticated nodes are
  forwarded
• Isolate a suspected node by broadcasting a
  counter certificate
• M out of N strategy

16
Research Questions

• What is a good system architecture for building
  intrusion detection and response systems that
  fits the features of wireless Ad-Hoc networks?
• What are the appropriate audit data sources?
• How do we detect anomaly based on partial, local
  audit traces
• If they are the only reliable audit source?
• What is a good model of activities in a wireless
  communication environment that can separate
  anomaly when under attacks from the normalcy?

17
Conclusions

• New techniques must be developed to make
  intrusion
• detection work better for the wireless ad-hoc
  environment
• An architecture for better intrusion detection in
  wireless
• ad-hoc network should be distributed and
  cooperative
• Every node participates in intrusion detection
  and response
• Individual IDS agents are placed on each and
  every node
• Individual IDS agent collectively form the IDS
  system to defend the wireless ad-hoc network
• Intrusion detection should take place in all
  networking
• layers in an integrated cross-layer manner

18
AODV-S(1/2)

• Monitoring routing updates misbehavior
• Detected by examining the correctness of routing
  updates
• If the routing update is not correct, the RREP
  packet is dropped
• node S broadcast a SID(single intrusion
  detection) packet to its neighbors
• Monitoring packet forwarding misbehavior
• Through overhearing the channel in promiscuous
  mode
• Packet dropping detection
• Use Watchdog technique
• Use Drop_Time Drop_Bandwidth
• Packet duplicating network layer packet jamming
  detection
• Utilize the information obtained by overhearing
  the channel
• Use Duplicate_Bandwidth Sending_Bandwidth

19
AODV-S(2/2)

• Distributed collaborative monitoring
• Significantly improve the monitoring performance
• Use m out of N strategy to cross-validate the
  monitoring results
• Intrusion reaction
• Use the polynomial secret sharing scheme
• When a node has received m independent SID packet
  against the same node, it broadcast the
  GID packet
• The first node that receives k GID packets
  against the same node combines them and construct
  a TREV packet signed by the SK
• TREV packet is flooded in the network
• The neighbors of an attacker deem the links
  between them as broken and use the path
  maintenance mechanism to cancel out these links
• Intrusion reaction process is triggered only once
  for each attacker or compromised node