TRUST, Berkeley Meetings, March 19-21, 2007 A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks Adrian P. Lauf, Richard A. Peters and William H. Robinson April 2-3, 2008
TRUST, Berkeley Meetings, March 19-21, 2007 Outline Motivation Methods Results Application to SCADA "A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson 2 April 2-3, 2008
TRUST, Berkeley Meetings, March 19-21, 2007 Outline Motivation Methods Results Application to SCADA "A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson 3 April 2-3, 2008
TRUST, Berkeley Meetings, March 19-21, 2007 What is HybrIDS? Hybrid, Distributed, Embedd- able IDS: (HybrIDS) Identify deviant activity on ad-hoc network Distributed implementation strategy Utilize multiple detection strategies – Zero-knowledge phase – Calibration-based phase Function on resource- constrained devices Integrate with SCADA (Supervisory Control And Data Acquisition) networks "A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson 4 April 2-3, 2008
TRUST, Berkeley Meetings, March 19-21, 2007 Why HybrIDS for SCADA? SCADA implementations are becoming increasingly less localized Wireless and IP-based networks present a significant security vulnerability Sensor/Actuator nodes have no inherent security built in Designed with scalability in mind "A Distributed Intrusion Detection System for Resource- Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson 5 April 2-3, 2008
TRUST, Berkeley Meetings, March 19-21, 2007 Why is HybrIDS different? It is decentralized – Reduce dependence on a single system – Reduce power consumption Reduce compute-intensive operations – Allows for group consensus decisions Each unit maintains a model of the world – Reduces chance of tampering with a centralized system It is resource constrained – Runs well on embedded Linux platforms It is portable – Uses abstraction to eliminate context exclusivity – Coded in Java for enhanced portability It is adaptable – HybrIDS can abstract many ad-hoc network scenarios: Autonomous aircraft networks and avionic protocols (ADS-B) Swarm-based microrobotics Self-contained sensor nodes "A Distributed Intrusion Detection System for Resource- Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson 6 April 2-3, 2008
TRUST, Berkeley Meetings, March 19-21, 2007 What can HybrIDS do? Identify single or multiple anomalies on an ad- hoc network Adaptable to various attack configurations – DOS – Timed attacks – Command injection – Network disruption Locate deviant nodes with zero prior knowledge of system architecture Adapt to system changes in a scalable manner "A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson 7 April 2-3, 2008
TRUST, Berkeley Meetings, March 19-21, 2007 Outline Motivation Methods Results Application to SCADA "A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson 8 April 2-3, 2008
TRUST, Berkeley Meetings, March 19-21, 2007 Simplifying by Abstraction Node interactions classified by labels Interaction histories recorded – Each node maintains action histories from its point of view Abstraction permits context independence – Applicable to any system using predetermined actions Action 1 Action n-1 Action n Node Node Node Node April 2-3, 2008
TRUST, Berkeley Meetings, March 19-21, 2007 Why a hybrid approach? Phase 1 requires no training data Can isolate a single anomaly Phase 2 requires training data Can detect multiple anomalies More flexible to system changes Phase 1 Phase 2 Time Progression April 2-3, 2008
TRUST, Berkeley Meetings, March 19-21, 2007 Detection Method: Maxima Analysis: Setup Histograms formed for each connected node – Node A will track B, C, and D. Average system behavior obtained by averaging across observed nodes Bins correspond to action labels Data must be normalized to a distribution – E.g. Gaussian, Chi 2 Σ/(n-1) Labels Nodes Avg. behavioral PDF for system April 2-3, 2008
TRUST, Berkeley Meetings, March 19-21, 2007 Maxima Detection Algorithm Resultant vector yields approximate PDF Find global maximum, exclude it Identify, mark local maxima Local maximum yields likely intrusion-motivated behaviors Reverse-map this label to node with most frequent occurrence 12 April 2-3, 2008
TRUST, Berkeley Meetings, March 19-21, 2007 Detection Method: Cross-correlation 13 Labels Nodes Σ/(n-1) 13 = Score Average PDF April 2-3, 2008
TRUST, Berkeley Meetings, March 19-21, 2007 Score Analysis Average score is computed Each score is compared to the average Deviance determined by a threshold Threshold Setting Threshold BoundsNode Number Score Mean Score LineSuspected Deviant Node April 2-3, 2008
TRUST, Berkeley Meetings, March 19-21, 2007 Threshold Requirements Threshold varies for each scenario – Representative of a percentage deviation required for suspicion of a node Variability of thresholds is a weakness of CCIDS Can cause generation of false positives – Reduced by selecting proper threshold – Minimal baseline threshold is possible – system may never converge April 2-3, 2008
TRUST, Berkeley Meetings, March 19-21, 2007 Required Thresholds for Proper Detection (CCIDS) Deviant node pervasion yields linear change in threshold Number of nodes has negligible impact on threshold requirements 0.2 represents 100% deviation in this figure – Detects only nodes that vary significantly 0.02 represents a 10% deviation – More sensitive to smaller node deviations April 2-3, 2008
TRUST, Berkeley Meetings, March 19-21, 2007 Selecting Detection Phases HybridState object determines if transition point has been reached If one of the results from CCIDS matches a suspected node from MDS, a match is considered found April 2-3, 2008
TRUST, Berkeley Meetings, March 19-21, 2007 Transitioning between phases Increasing the deviant node pervasion requires more tuning cycles Threshold adjusted once per tuning cycle Figure represents an average for all node sizes – # transition cycles is independent of node cluster size April 2-3, 2008
TRUST, Berkeley Meetings, March 19-21, 2007 HybrIDS Implementation Implemented in Java 5 (1.5) – Introduces Code Portability ARM9 development board target 2.73 KB memory footprint for a 35-agent system with 10 behaviors – MDS and CCIDS use a shared data structure Storage footprint less than 46 KB Flexible interface implementation – TCP/UDP for network interface – Disk-based access for simulation – RS-232/Serial interface possible April 2-3, 2008
TRUST, Berkeley Meetings, March 19-21, 2007 Outline Motivation Methods Results Application to SCADA "A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson 20 April 2-3, 2008
TRUST, Berkeley Meetings, March 19-21, 2007 Analysis of HybrIDS Performance HybrIDS can reliably detect deviant nodes upto 22% pervasion 25% pervasion and up removes element of determinacy Scalability by percentage pervasion Number of nodes in cluster does not affect scalability concerns Graph includes total time – MDS, transition and CCIDS cycles April 2-3, 2008
TRUST, Berkeley Meetings, March 19-21, 2007 Operational Footprint HybrIDS with its JVM uses 5MB of application memory (Linux ) Maximum power requirement is 5 watts + idle power of ARM9 platform "A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson 22 April 2-3, 2008
TRUST, Berkeley Meetings, March 19-21, 2007 Outline Motivation Methods Results Application to SCADA "A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson 23 April 2-3, 2008
TRUST, Berkeley Meetings, March 19-21, 2007 HybrIDS and SCADA HybrIDS is optimized for homogeneous ad-hoc networks While heterogenous, SCADA contains homogeneous components that can exploit HybrIDS’s potential HybrIDS can operate on RTU nodes within SCADA infrastructure "A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson 24 April 2-3, 2008
TRUST, Berkeley Meetings, March 19-21, 2007 HybrIDS and SCADA (cont’d) SCADA is migrating increasingly to vulnerable network infrastructures – WAN – WLAN HybrIDS can be used to detect attack methods on these networks – DDOS and packet drops alter interaction request frequencies – Targeting of a specific node is easily detected by multiple HybrIDS-enabled nodes "A Distributed Intrusion Detection System for Resource- Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson 25 April 2-3, 2008
TRUST, Berkeley Meetings, March 19-21, 2007 Conclusion HybrIDS provides a flexible IDS framework for ad-hoc networks Distributed nature allows for seamless integration and reliability Can easily integrate into existing frameworks, such as SCADA Offers scalable performance for multiple anomaly detection "A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson 26 April 2-3, 2008 ARM9 Development Platform