Intrusion Detection Techniques for Mobile Wireless Networks Zhang, Lee, Yi-An Huang Presented by: Alex Singh and Nabil Taha
Outline 1.Introduction 2.Intrusion Detection and the Challenges of Mobile Ad-Hoc Networks 3.An Architecture for Intrusion Detection 4.Anomaly Detection in Mobile Ad-Hoc Networks 5.Experimental Results 6.Conclusion
Introduction Rapid proliferation of wireless networks changed the landscape of network security Traditional firewalls and encryption software no longer sufficient Need new mechanisms to protect wireless networks and mobile computing application
Checklist Examine vulnerabilities of wireless networks Discuss intrusion detection in security architecture for mobile computing environment Evaluate such architecture through simulation experiments
Vulnerabilities of Wireless Networks Wireless links leaves the network susceptible to –Passive eavesdropping –Active interfering Mobile nodes are capable of roaming independently Decision-making in wireless networks rely on cooperative algorithms
Intrusion Detection and the Challenges of Mobile Ad-Hoc Networks Intrusion – Any set of actions that attempt to compromise the integrity, confidentiality, or availability of a resource Intrusion Prevention – Primary defense (i.e. Passwords, Biometrics) Intrusion Detection Systems (IDSs)– Second wall of defense
Categories of IDSs Network-based IDS – Runs at the gateway of a network and examines network packets that go through the network hardware interface Host-based IDS – Relies on operating system audit data to monitor and analyze the events generated by programs or users on the host
Intrusion Detection Techniques Misuse Detection – uses patterns of well known attacks or weak spots to identify known intrusions. –ex: guessing password, locks account after 4 failed attempts. –Lacks ability to detect newly invented attacks Anomaly Detection – flags activates that differ significantly from the established normal usage. –ex: frequency of program usage much lower or much higher than normal usage –Does not need prior knowledge of attacks –High false positive rate
Problems with current IDSs Fixed infrastructure IDS techniques can not be directly applied to mobile ad-hoc networks –Rely on real-time traffic analysis –Must be done at the system for mobile ad-hoc networks and not at a gateway, switch or router Mobile users tend to adopt new operations modes such as disconnected operations
Questions for a Viable IDSs What is a good system architecture for building intrusion detection and response systems What are the appropriate audit data sources and how do we detect anomaly based on partial, local audit traces What is a good model of activities in a mobile computing environment that can separate an anomaly from normalcy
An Architecture for Intrusion Detection
IDS agent
Data Collection Gathers streams of real-time audit data from various sources Includes: –System activities –User activities –Communication activities by this node –Communication activities by other nodes within this radio range This supports multi-layered intrusion detection method
Local Detection The local detection engine analyzes the local data traces gathered by the local data collection module for evidence of anomalies. Includes both misuse detection or anomaly detection
Cooperative Detection Any node can initiate a response if it has strong enough evidence about intrusion If the node only has weak or inconclusive evidence, it can warrant a broader investigation Possible to detect intrusion even when evidence at individual nodes is weak
Intrusion Response The type of intrusion response depends on: –Type of intrusion –Type of network protocols –Type of applications –Confidence (or certainty) in the evidence Typical Responses: –Re-initiate communication channels between nodes –Identify compromised node and exclude it
Multi-Layer Integrated Intrusion Detection and Response With wireless networks, there are vulnerabilities in multiple layers and intrusion detection module needs to be placed at each layer on each node Need to coordinate intrusion detection and response efforts between layers Enables us to analyze the attack scenario in its entirety
Anomaly Detection in Mobile Ad-Hoc Networks Anomaly detection works on the premise that there is intrinsic and observable characteristic of normal behavior that is distinct from that of abnormal behavior We can use a classifier, trained using normal data, to predict what is normally the next event given the previous n events
Procedure for Anomaly Detection 1.Select audit data 2.Perform appropriate data transformation 3.Compute classifier using training data 4.Apply classifier to test data 5.Post-process alarms to produce intrusion reports
Attack on Routing Protocols Route Logic Compromise – Manipulating routing information –Misrouting: forwarding a packet to an incorrect node –False Message Propagation: distributing a false route update Traffic Patter Distortion – Changes default/normal traffic behavior –Packet dropping –Packet generation with faked source address –Corruption on packet contents –Denial-of-service
Audit Data Local Routing Information, including cache entries and traffic statistics Position locater or GPS which is assumed to not be compromised Only local information is used since remote nodes can be compromised
Feature Selection Since we use classifiers as detectors we need to select/construct features from the available audit data A large feature set is first constructed to cover a wide range of behaviors Several training runs are conducted and features that occur more than a minimum threshold are selected into the Essential Feature Set
Classifier Two classifiers were used in the study RIPPER – A rule induction program, searches the given feature space and computes rules that separate data in appropriate classes SVM light – Support Vector Machine classifier, pre-process the data to represent patterns in much higher dimension than the given feature space
Post-processing Choose a parameter l and let the window size be 2l+1 For a region in the current window if there are more abnormal than normal predictions then the entire region is marked abnormal Shift the window and repeat Count all continuous abnormal regions as one intrusion session
Detecting Abnormal Updates to Routing Tables Routing table contains at a minimum the next hop to each destination node and the distance Physical movement is measured by distance and velocity The routing table change is measured by the percentage of changed routes – PCR And the percentage of changes of all hops of all the routes – PCH
Computing Normal Profile Denote PCR the class (i.e. concept), and distance, velocity, and PCH, etc. the features describing the concept; Use n classes to represent the PCR values in n ranges, ex, we can use 10 classes each representing 10 percentage points - that is, the trace data belongs to n classes Apply a classification algorithm to the data to learn a classifier for PCR Repeat the above for PCH, that is, learn a classifier for PCH
Finding Anomalies If abnormal data is not available compute clusters of the deviation scores where each score pair is a point (PCR, PCH) then the outliers can be considered anomalies
Detecting Abnormal Activities in Other Layers Anomaly detection in other layers (MAC protocols, application, services, etc.) use a similar approach MAC protocols- form cluster using the deviations of the total number of channel requests and the total number of nodes making the request during a time period s
Experimental Results
Discussion Anomaly detection works much better on a routing protocol in which a degree of redundancy exists within infrastructure DSR embeds a whole source route in each packet dispatched –This makes it harder to hide intrusion by faking a bit of routing information
Conclusions Mobile Wireless networks require different techniques to detect intrusions Anomaly detection is a critical part of component of intrusion detection and response Trace analysis and anomaly detection should be done locally and possibly through cooperation with all nodes in the network Paper focused on ad-hoc routing protocols since they are the foundation of a mobile ad-hoc network
Conclusions – Routing Protocols Use anomaly detection models constructed using information available from the routing protocols Apply RIPPER and SVM Light to compute classifiers Showed that these detectors in general have good detection performance with SVM Light having better performance
Conclusions - findings They noted some disparity in security performance among different types of routing protocols They claimed that protocols with strong correlation among changes of different types of information(location, track and routing message) tend to have better detection performance And on-demand protocols usually work better than table-driven protocols