Intrusion Detection Techniques for Mobile Wireless Networks - PowerPoint PPT Presentation

About This Presentation

Intrusion Detection Techniques for Mobile Wireless Networks


Intrusion Detection Techniques for Mobile Wireless Networks Authors: Yongguang Zhang, HRL Laboratories LLC, Malibu, California. Wenke Lee, College of Computing ... – PowerPoint PPT presentation

Number of Views:93
Avg rating:3.0/5.0
Slides: 32
Provided by: Vya2
Learn more at:


Transcript and Presenter's Notes

Title: Intrusion Detection Techniques for Mobile Wireless Networks

Intrusion Detection Techniques for Mobile
Wireless Networks
  • Authors
  • Yongguang Zhang, HRL Laboratories LLC, Malibu,
  • Wenke Lee, College of Computing, Georgia
    Institute of Technology.
  • Yi-An Huang, College of Computing, Georgia
    Institute of Technology.
  • Presenter
  • Narendra Pentakota

  • Problem Inadequacies of security systems for
    providing security for wireless and mobile
  • Motivation The mobility of wireless devices
    demand more resilient, stronger and effective
    security schemes.
  • Solution Design of IDS system for detecting
    intrusions into wireless networks and keep the
    wireless communications out of harms way.

  • Intrusion Unauthorized or unwanted access to
    restricted space.
  • Intrusion detection One or more security
    measures or devices used to detect and may be
    even prevent intrusion.

Types of IDS
  • Intrusion Detection involves
  • Capturing audit data.
  • Reasoning the evidence in the data to determine
    whether the system is under attack.
  • Types of IDS
  • Network based IDS data and packet flow
    inspection on the network edge.
  • Host based IDS Collect operating system audit
    data like event and system calls.

Intrusion Detection Techniques
  • Misuse based detection
  • Use patterns of well-known attacks or weak spots.
  • Accurate and efficient against known attacks.
  • Lacks the ability to detect a new attacks.
  • Anomaly based detection
  • Detect anomalies or abnormalities in the network
    or service usage.
  • Does not required prior knowledge of Intrusion.
  • May have high false positive rate.

Vulnerabilities of Mobile Wireless Networks.
  • The very advantage of its mobility leads to its
  • Possible attacks ranging from passive
    eavesdropping to active interference.
  • Communication infrastructure and communication
    topology different from wired communications.
  • Damages include loss of privacy, confidentiality,
    security etc...

Vulnerabilities of Mobile Wireless Networks
  • Autonomous nature, roaming independence.
  • Unprotected physical medium.
  • Node tracking is difficult.
  • Decentralized network infrastructure and decision
    making. Mostly rely on cooperative participation.
  • Susceptible to attacks designed to break the
    cooperative algorithms.

Vulnerabilities of Mobile Wireless Networks
  • Bandwidth and power constraints make conventional
    security measures inept to attacks that exploit
    applications relying on them.
  • Wireless networks involving base node
    communications (ex. access points) are vulnerable
    to DoS attacks like dis-association and
    de-authentication attacks.
  • No clear line of defense.

Problems with current IDS techniques
  • Current IDS techniques hugely rely on mounting
    defense measures on a common access or routing
    points like switches or routers.

Problems with current IDS techniques (cont..)
  • Wireless nodes in an ad-hoc network do not rely
    on any common access point. Thus current IDS
    techniques are not good enough.

Key design issues.
  • Build Intrusion detection and response system
    that fits the features of mobile ad-hoc networks.
    Should be both distributed and cooperative.
  • Choose appropriate data audit sources. Local
    audit data versus global audit data.
  • Separate normalcy from anomaly.

Architecture for Intrusion Detection.
  • Intrusion detection and response should be both
    distributed and cooperative to suite the needs of
    mobile adhoc networks.
  • Every node participates in intrusion detection
    and response.
  • Each node is responsible for detection and
    reporting of intrusions independently. All nodes
    can investigate into an intrusion event.

System View.
  • Individual IDS agents placed on the nodes
    collectively form the IDS system to defend the
    mobile ad-hoc network.

System view (cont..)
  • Data collection module is responsible for
    gathering local audit traces and activity logs.
  • Detection engine uses this data to detect local
  • Cooperative detection engines provide
    collaborations among IDS agents.
  • Both local and global response modules provide
    intrusion response actions.
  • Local response module triggers actions local to
    the node while the global one coordinates actions
    among neighboring nodes.
  • A secure communication module provides a high
    confidence communication channel among IDS agents.

IDS in Action
  • The following event are part of the design
    process of Intrusion detection and response of
    IDS agents.
  • Data collection
  • Local detection
  • Cooperative detection
  • Intrusion response
  • Multi-Layer integrated intrusion detection and

IDS architecture
IDS architecture (cont..)
  • The intrusion detection state information can
    range from a mere level-of-confidence value such
  • with p confidence, node A concludes from its
    local data that there is an intrusion
  • with p confidence, node A concludes from its
    local data and neighbor states that there is an
  • with p confidence, node A,B,C, collectively
    conclude that there is an intrusion
  • to a more specific state that list the
    suspects, like
  • with p confidence, node A concludes from its
    local data that node X has been compromised

A Distributed Intrusion Detection (cont..)
  • Intrusion response depends on the type of
    intrusion and varies with the type of network
    protocols and applications, and the confidence in
    the evidence. For ex.
  • Re-initialize communication channels between
    nodes (ex. force re-key).
  • Identifying the compromised nodes and
    re-organizing the network to preclude the
    compromised nodes.

Multi-Layered Integrated IDS
  • Intrusion detection and response modules are
    integrated into every layer of the node. For ex.
  • An anomaly detected at the routing layer is
    reported to the application layer and a
    re-authentication process is initiated.
  • An attack detected at the application layer is
    reported to the service and routing layers and
    also notify the incident to other nodes.

  • Information-Theoretic Branch of applied
    mathematics and engineering involving the
    quantification of information. Developed to find
    the fundamental limits on compressing and
    reliably communicating data.
  • Entropy Uncertainty involved in a variable. For
    ex. a fair coin flip will have less entropy than
    a roll of a die.
  • Classifier A mapping from a discrete feature
    space to a discrete set of labels.

Anomaly Detection in Mobile Ad-Hoc Networks.
  • Building an Anomaly Detection Model.
  • Differentiate normal from abnormal.
  • Use information-theoretic approaches to identify
    classifiers (with low entropy) and classification
    algorithms to build anomaly detection models.
  • When constructing such a classifier, feature with
    high information gain (or reduction in entropy)
    are needed.

Anomaly Detection in Mobile Ad-Hoc Networks
  • Building an anomaly detection module (cont..).
  • Select (or partition) audit data so that the
    normal dataset has low entropy.
  • Perform appropriate data transformation according
    to the entropy measures (for information gain).
  • Compute classifier using training data.
  • Apply the classifier to test data.
  • Post-process alarms to produce intrusion reports.

Anomaly Detection in Mobile Ad-Hoc Networks
  • Attack models
  • Route logic compromise.
  • Traffic pattern distortion
  • Audit data
  • Feature selection and essential feature set.
  • Classifier algorithms
  • RIPPER First-order Inductive rule learner.
  • SVM Known to reduce classification error.
  • Post-processing

Anomaly Detection in Mobile Ad-Hoc Networks
  • Detecting abnormal updates to routing tables.
  • Given set of training, testing and evaluation
    scenarios and modeling algorithms like RIPPER and
    SVM which routing protocol with potentially all
    its routing table information used, can result in
    better performing detection models, i.e.. what
    information should be included in the routing
    table to make intrusion detection effective?

Anomaly Detection in Mobile Ad-Hoc Networks
  • Detecting abnormal activities in other layers.

Routing Protocols
  • DSR Dynamic source routing protocol. Demand
    based source routing protocol.
  • AODV Ad-hoc On-demand Distance Vector. Demand
    based routing protocol capable of both unicast
    and multicast routing.
  • DSDV Destination-Sequenced Distance-Vector
    Routing. Table driven routing protocol. Routing
    based on sequence numbers.

Experimental Results
  • Wireless routing protocols were considered to
    implement anomaly detection process.
  • Dynamic source routing.
  • Ad-hoc on-demand distance-vector routing.
  • Destination-sequenced distance-vector routing.
  • These protocols were selected because they
    represent different types of ad-hoc wireless
    routing protocols, proactive and on-demand.

Experimental Results (cont..)
  • The feature set selected should reflect
    information from different sets like routing
    change, topological movements
  • Classification algorithms used
  • Induction based classifier, RIPPER.
  • A new SVM classifier, SVM_Light.
  • Five different test scripts are used to generate
    traces for simulation. Different test scenarios
  • Local features on Ad-hoc Protocols.
  • Detection performance in terms of detection rate
    and false alarm rates on DSR, AODV and DSDV.

Experimental Results (cont..)
  • It is observed that DSR tested with SVM_Light
    outperforms the other two a lot.
  • DSR and AODV are both on-demand protocols with
    path and pattern redundancy which help achieve a
    better detection performance.
  • High correlation among changes of traffic flow,
    routing activities and topological patterns are

  • Architecture for better intrusion detection in
    mobile computing environment should be both
    distributed and cooperative.
  • The paper also proves to a point that on-demand
    protocols work better than table driven protocols
    because the behavior of on-demand protocols
    reflects the correlation between traffic pattern
    and routing message flows.

  • Any Questions?
  • Any suggestions?
Write a Comment
User Comments (0)