Intrusion Detection Techniques in Mobile Ad Hoc and Wireless Sensor Networks - IEEE October 2007 CMSC Advanced Computer Networks Oleg Aulov CMSC Advanced Computer Networks Oleg Aulov

MANET and WSN  No wires, Limited battery life, Limited memory and processing capability  No base stations, Mobile nodes, Nodes relay data (act as routers)  Usually no centralized authority  Deployed in adverse or hostile environment  Prevention sec.-key distrib. Mgmt. schemes - doesn’t work once the node is compromised and the secrets leak. Insiders can cause greater damage.  No wires, Limited battery life, Limited memory and processing capability  No base stations, Mobile nodes, Nodes relay data (act as routers)  Usually no centralized authority  Deployed in adverse or hostile environment  Prevention sec.-key distrib. Mgmt. schemes - doesn’t work once the node is compromised and the secrets leak. Insiders can cause greater damage.

IDS-second line of defence  IDS - dynamically monitors the system to detect compromise of confidentiality, availability and integrity.  Two common types -  misuse based - stores database of known attacks  anomaly based - creates normal profile of system states or user behaviors (difficult to built, mobility challenges)  Specification based - manually developed specs, time-consuming  IDS - dynamically monitors the system to detect compromise of confidentiality, availability and integrity.  Two common types -  misuse based - stores database of known attacks  anomaly based - creates normal profile of system states or user behaviors (difficult to built, mobility challenges)  Specification based - manually developed specs, time-consuming

ID in MANET - attacks  Routing logic compromise - blackhole, routing update storm, fabrication,  Traffic Distortion - dropping, coruption, flooding  Others - rushing, wormhole, spoofing  Routing logic compromise - blackhole, routing update storm, fabrication,  Traffic Distortion - dropping, coruption, flooding  Others - rushing, wormhole, spoofing

MANET - Existing Research- Zhang et al  Agent attached to each node, performs ID & response individually  Unsupervised method to construct & select feature set (dist, velocity, # hops, etc)  Pattern classification problem - apply RIPPER(decision tree for rule induction) & SVM Light (support vector machine, when data cannot be classified by set of features) algorithms  Post Processing - to eliminate false alarms  Agent attached to each node, performs ID & response individually  Unsupervised method to construct & select feature set (dist, velocity, # hops, etc)  Pattern classification problem - apply RIPPER(decision tree for rule induction) & SVM Light (support vector machine, when data cannot be classified by set of features) algorithms  Post Processing - to eliminate false alarms

MANET - Existing Research Huang et al  Cross-Feature Analysis-learning based method to capture correlation patterns.  L featires - f1,f2,…,fL  fi - feature characterizing topology or route activities  Solve classification problem -  Create Set Ci:{f1,…,fi-1,fi+1,…,fL}, used to identify temporal correlation between one feature and all the other features.  Ci - very likely to predict in normal circumstances, very unlikely during attack  Cross-Feature Analysis-learning based method to capture correlation patterns.  L featires - f1,f2,…,fL  fi - feature characterizing topology or route activities  Solve classification problem -  Create Set Ci:{f1,…,fi-1,fi+1,…,fL}, used to identify temporal correlation between one feature and all the other features.  Ci - very likely to predict in normal circumstances, very unlikely during attack

MANET - Existing Research Huang and Lee  Collaboration with neighbors - broader ID range - more accurate, more information bout attacks  Cluster based detection scheme - FSM - Initial, Clique, Done, Lost Ad hoc On Demand Distance Vector (AODV) algorithm  EFSA - detect state and transition violations  Specification based approach, detects abnormal patterns and anomalous basic events.  Collaboration with neighbors - broader ID range - more accurate, more information bout attacks  Cluster based detection scheme - FSM - Initial, Clique, Done, Lost Ad hoc On Demand Distance Vector (AODV) algorithm  EFSA - detect state and transition violations  Specification based approach, detects abnormal patterns and anomalous basic events.

MANET - Existing Research Marti et al  Watchdog and Pathrater to identify and respond to routing misbehaviors.  Each node verifies that his data was forwarded correctly. DSR - dynamic source routing  Rate routes and use more reliable ones.  Watchdog and Pathrater to identify and respond to routing misbehaviors.  Each node verifies that his data was forwarded correctly. DSR - dynamic source routing  Rate routes and use more reliable ones.

MANET - Existing Research Tseng et al  Based on AODV - specification based ID  Detects run time violations  FSM - specify behaviors of AODV  Maintain RREP and RREQ messages  Based on AODV - specification based ID  Detects run time violations  FSM - specify behaviors of AODV  Maintain RREP and RREQ messages

MANET - Existing Research Sun et al  Use Markov Chains to characterize normal behaviors  Motivated by ZBIDS (zone based) - locally generated alerts inside the zone  Gateway Nodes - broadcast alerts within the zone  IDMEF (message exchange format) - presented to facilitate interoperability of IDS agents.  Use Markov Chains to characterize normal behaviors  Motivated by ZBIDS (zone based) - locally generated alerts inside the zone  Gateway Nodes - broadcast alerts within the zone  IDMEF (message exchange format) - presented to facilitate interoperability of IDS agents.

ID in WSN

Secure Localization  GPS not feasible  Utilization of beacon packets and beacon nodes  Du et al - utilize deployment knowledge to confirm beacon integrity  Liu et al - filter out malicious location references using  Mean square error  Compute inconsistency  Voting based location estimation  GPS not feasible  Utilization of beacon packets and beacon nodes  Du et al - utilize deployment knowledge to confirm beacon integrity  Liu et al - filter out malicious location references using  Mean square error  Compute inconsistency  Voting based location estimation

Secure Aggregation  Wagner - robust statistics for resilient aggregation, truncation, trimming  Yang - Secure Hop by Hop Aggregation Protocol (SDAP)  Divide and conquer  Commit and attest  Grubbs’ test Buttyan - RANSAC paradigm for resilient aggregation. maximum likehood estimation  Wagner - robust statistics for resilient aggregation, truncation, trimming  Yang - Secure Hop by Hop Aggregation Protocol (SDAP)  Divide and conquer  Commit and attest  Grubbs’ test Buttyan - RANSAC paradigm for resilient aggregation. maximum likehood estimation

Future Research Directions  Extended Kalman Filter Based Aggregation - light weight solution for estimation of neighbor monitoring features  Integration of Mobility and ID in MANET - consideration to use link change rate as an indication of mobility.  Collaboration of IDM and SMM (sys. Mon.) - to address a problem of detecting abnormal event vs. false alarm. - ask the surrounding nodes to confirm  Extended Kalman Filter Based Aggregation - light weight solution for estimation of neighbor monitoring features  Integration of Mobility and ID in MANET - consideration to use link change rate as an indication of mobility.  Collaboration of IDM and SMM (sys. Mon.) - to address a problem of detecting abnormal event vs. false alarm. - ask the surrounding nodes to confirm

Questions ???