TRUST, Berkeley Meetings, March 19-21, 2007 A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks Adrian P. Lauf,

Slides:



Advertisements
Similar presentations
IEEE INFOCOM 2004 MultiNet: Connecting to Multiple IEEE Networks Using a Single Wireless Card.
Advertisements

anywhere and everywhere. omnipresent A sensor network is an infrastructure comprised of sensing (measuring), computing, and communication elements.
1 Intrusion Monitoring of Malicious Routing Behavior Poornima Balasubramanyam Karl Levitt Computer Security Laboratory Department of Computer Science UCDavis.
Josh Alcorn Larry Brachfeld An in depth review of ad hoc mobile network & cloud security concerns.
Report on Common Intrusion Detection Framework By Ganesh Godavari.
Decentralized Reactive Clustering in Sensor Networks Yingyue Xu April 26, 2015.
Application of Bayesian Network in Computer Networks Raza H. Abedi.
Mitigating Routing Misbehavior in Mobile Ad Hoc Networks By Sergio Marti, T.J. Giuli, Kevin Lai, & Mary Baker Department of Computer Science Stanford University.
Sogang University ICC Lab Using Game Theory to Analyze Wireless Ad Hoc networks.
Extensible Networking Platform IWAN 2005 Extensible Network Configuration and Communication Framework Todd Sproull and John Lockwood
Panoptes: A Scalable Architecture for Video Sensor Networking Applications Wu-chi Feng, Brian Code, Ed Kaiser, Mike Shea, Wu-chang Feng (OGI: The Oregon.
Dept. of Computer Science & Engineering, CUHK1 Trust- and Clustering-Based Authentication Services in Mobile Ad Hoc Networks Edith Ngai and Michael R.
Adrian Lauf, Jonathan Wiley, William H. Robinson, Gabor Karsai (Vanderbilt ISIS) Tanya Roosta (Berkeley) 1.
This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
CS 239: Advanced Security Spring 04 Security in Pervasive and Ubiquitous Environments Sam Irvine
A New Household Security Robot System Based on Wireless Sensor Network Reporter :Wei-Qin Du.
An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks Edith Ngai, Michael R. Lyu, and Roland T. Chin IEEE Aerospace Conference, Big.
Security in Wireless Sensor Networks Perrig, Stankovic, Wagner Jason Buckingham CSCI 7143: Secure Sensor Networks August 31, 2004.
The Bio-Networking Architecture: An Infrastructure of Autonomic Agents in Pervasive Networks Jun Suzuki netresearch.ics.uci.edu/bionet/
Probability Grid: A Location Estimation Scheme for Wireless Sensor Networks Presented by cychen Date : 3/7 In Secon (Sensor and Ad Hoc Communications and.
Winter Retreat Connecting the Dots: Using Runtime Paths for Macro Analysis Mike Chen, Emre Kıcıman, Anthony Accardi, Armando Fox, Eric Brewer
1 FM Overview of Adaptation. 2 FM RAPIDware: Component-Based Design of Adaptive and Dependable Middleware Project Investigators: Philip McKinley, Kurt.
Testing Intrusion Detection Systems: A Critic for the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory By.
Annarita Giani, UC Berkeley Bruno Sinopoli & Aakash Shah, Carnegie Mellon University Gabor Karsai & Jon Wiley, Vanderbilt University TRUST 2008 Autumn.
Building Survivable Systems based on Intrusion Detection and Damage Containment Paper by: T. Bowen Presented by: Tiyseer Al Homaiyd 1.
Mobile Agents in Wireless Sensor Networks Ivan Vukasinovic Zoran Babovic Goran Rakocevic.
MOBILE CLOUD COMPUTING
COGNITIVE RADIO FOR NEXT-GENERATION WIRELESS NETWORKS: AN APPROACH TO OPPORTUNISTIC CHANNEL SELECTION IN IEEE BASED WIRELESS MESH Dusit Niyato,
A Vehicular Ad Hoc Networks Intrusion Detection System Based on BUSNet.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.
Link Recommendation In P2P Social Networks Yusuf Aytaş, Hakan Ferhatosmanoğlu, Özgür Ulusoy Bilkent University, Ankara, Turkey.
SensIT PI Meeting, January 15-17, Self-Organizing Sensor Networks: Efficient Distributed Mechanisms Alvin S. Lim Computer Science and Software Engineering.
Intrusion Detection System for Wireless Sensor Networks: Design, Implementation and Evaluation Dr. Huirong Fu.
MOBILE AD-HOC NETWORK(MANET) SECURITY VAMSI KRISHNA KANURI NAGA SWETHA DASARI RESHMA ARAVAPALLI.
Tufts Wireless Laboratory School Of Engineering Tufts University “Network QoS Management in Cyber-Physical Systems” Nicole Ng 9/16/20151 by Feng Xia, Longhua.
An affinity-driven clustering approach for service discovery and composition for pervasive computing J. Gaber and M.Bakhouya Laboratoire SeT Université.
Denial of Service (DoS) Attacks in Green Mobile Ad–hoc Networks Ashok M.Kanthe*, Dina Simunic**and Marijan Djurek*** MIPRO 2012, May 21-25,2012, Opatija,
IDRM: Inter-Domain Routing Protocol for Mobile Ad Hoc Networks C.-K. Chau, J. Crowcroft, K.-W. Lee, S. H.Y. Wong.
A novel approach of gateway selection and placement in cellular Wi-Fi system Presented By Rajesh Prasad.
PERVASIVE COMPUTING MIDDLEWARE BY SCHIELE, HANDTE, AND BECKER A Presentation by Nancy Shah.
Rushing Attacks and Defense in Wireless Ad Hoc Network Routing Protocols ► Acts as denial of service by disrupting the flow of data between a source and.
Issues Autonomic operation (fault tolerance) Minimize interference to applications Hardware support for new operating systems Resource management (global.
1 BRUSSELS - 14 July 2003 Full Security Support in a heterogeneous mobile GRID testbed for wireless extensions to the.
Adaptive Multi-Threading for Dynamic Workloads in Embedded Multiprocessors 林鼎原 Department of Electrical Engineering National Cheng Kung University Tainan,
1 Service Sharing with Trust in Pervasive Environment: Now it’s Time to Break the Jinx Sheikh I. Ahamed, Munirul M. Haque and Nilothpal Talukder Ubicomp.
Security in Wireless Ad Hoc Networks. 2 Outline  wireless ad hoc networks  security challenges  research directions  two selected topics – rational.
Performance of Adaptive Beam Nulling in Multihop Ad Hoc Networks Under Jamming Suman Bhunia, Vahid Behzadan, Paulo Alexandre Regis, Shamik Sengupta.
Cryptography and Network Security Sixth Edition by William Stallings.
Internet of Things. IoT Novel paradigm – Rapidly gaining ground in the wireless scenario Basic idea – Pervasive presence around us a variety of things.
Adaptive Sleep Scheduling for Energy-efficient Movement-predicted Wireless Communication David K. Y. Yau Purdue University Department of Computer Science.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.
Efficient Resource Allocation for Wireless Multicast De-Nian Yang, Member, IEEE Ming-Syan Chen, Fellow, IEEE IEEE Transactions on Mobile Computing, April.
Energy-Efficient Signal Processing and Communication Algorithms for Scalable Distributed Fusion.
第 1 讲 分布式系统概述 §1.1 分布式系统的定义 §1.2 分布式系统分类 §1.3 分布式系统体系结构.
A Blackboard-Based Learning Intrusion Detection System: A New Approach
Risk-Aware Mitigation for MANET Routing Attacks Submitted by Sk. Khajavali.
IHP Im Technologiepark Frankfurt (Oder) Germany IHP Im Technologiepark Frankfurt (Oder) Germany ©
Distributed Systems Architecure. Architectures Architectural Styles Software Architectures Architectures versus Middleware Self-management in distributed.
DIVYA K 1RN09IS016 RNSIT1. Cloud computing provides a framework for supporting end users easily through internet. One of the security issues is how to.
RTLAB 박 유 진 University of Stuttgart Klaus Herrmann.
DOWeR Detecting Outliers in Web Service Requests Master’s Presentation of Christian Blass.
Towards a High Performance Extensible Grid Architecture Klaus Krauter Muthucumaru Maheswaran {krauter,
Presented by Edith Ngai MPhil Term 3 Presentation
Trusted Routing in IoT Dr Ivana Tomić In collaboration with:
Meng Cao, Xiangqing Sun, Ziyue Chen May 28th, 2014
Software Defined Networking (SDN)
Mobile Computing.
Requirements Date: Authors: March 2010 Month Year
Applying Policy-Based Intrusion Detection to SCADA Networks
Information Sciences and Systems Lab
Presentation transcript:

TRUST, Berkeley Meetings, March 19-21, 2007 A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks Adrian P. Lauf, Richard A. Peters and William H. Robinson April 2-3, 2008

TRUST, Berkeley Meetings, March 19-21, 2007 Outline Motivation Methods Results Application to SCADA "A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson 2 April 2-3, 2008

TRUST, Berkeley Meetings, March 19-21, 2007 Outline Motivation Methods Results Application to SCADA "A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson 3 April 2-3, 2008

TRUST, Berkeley Meetings, March 19-21, 2007 What is HybrIDS? Hybrid, Distributed, Embedd- able IDS: (HybrIDS) Identify deviant activity on ad-hoc network Distributed implementation strategy Utilize multiple detection strategies – Zero-knowledge phase – Calibration-based phase Function on resource- constrained devices Integrate with SCADA (Supervisory Control And Data Acquisition) networks "A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson 4 April 2-3, 2008

TRUST, Berkeley Meetings, March 19-21, 2007 Why HybrIDS for SCADA? SCADA implementations are becoming increasingly less localized Wireless and IP-based networks present a significant security vulnerability Sensor/Actuator nodes have no inherent security built in Designed with scalability in mind "A Distributed Intrusion Detection System for Resource- Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson 5 April 2-3, 2008

TRUST, Berkeley Meetings, March 19-21, 2007 Why is HybrIDS different? It is decentralized – Reduce dependence on a single system – Reduce power consumption Reduce compute-intensive operations – Allows for group consensus decisions Each unit maintains a model of the world – Reduces chance of tampering with a centralized system It is resource constrained – Runs well on embedded Linux platforms It is portable – Uses abstraction to eliminate context exclusivity – Coded in Java for enhanced portability It is adaptable – HybrIDS can abstract many ad-hoc network scenarios: Autonomous aircraft networks and avionic protocols (ADS-B) Swarm-based microrobotics Self-contained sensor nodes "A Distributed Intrusion Detection System for Resource- Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson 6 April 2-3, 2008

TRUST, Berkeley Meetings, March 19-21, 2007 What can HybrIDS do? Identify single or multiple anomalies on an ad- hoc network Adaptable to various attack configurations – DOS – Timed attacks – Command injection – Network disruption Locate deviant nodes with zero prior knowledge of system architecture Adapt to system changes in a scalable manner "A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson 7 April 2-3, 2008

TRUST, Berkeley Meetings, March 19-21, 2007 Outline Motivation Methods Results Application to SCADA "A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson 8 April 2-3, 2008

TRUST, Berkeley Meetings, March 19-21, 2007 Simplifying by Abstraction Node interactions classified by labels Interaction histories recorded – Each node maintains action histories from its point of view Abstraction permits context independence – Applicable to any system using predetermined actions Action 1 Action n-1 Action n Node Node Node Node April 2-3, 2008

TRUST, Berkeley Meetings, March 19-21, 2007 Why a hybrid approach? Phase 1 requires no training data Can isolate a single anomaly Phase 2 requires training data Can detect multiple anomalies More flexible to system changes Phase 1 Phase 2 Time Progression April 2-3, 2008

TRUST, Berkeley Meetings, March 19-21, 2007 Detection Method: Maxima Analysis: Setup Histograms formed for each connected node – Node A will track B, C, and D. Average system behavior obtained by averaging across observed nodes Bins correspond to action labels Data must be normalized to a distribution – E.g. Gaussian, Chi 2 Σ/(n-1) Labels Nodes Avg. behavioral PDF for system April 2-3, 2008

TRUST, Berkeley Meetings, March 19-21, 2007 Maxima Detection Algorithm Resultant vector yields approximate PDF Find global maximum, exclude it Identify, mark local maxima Local maximum yields likely intrusion-motivated behaviors Reverse-map this label to node with most frequent occurrence 12 April 2-3, 2008

TRUST, Berkeley Meetings, March 19-21, 2007 Detection Method: Cross-correlation 13 Labels Nodes Σ/(n-1) 13 = Score Average PDF April 2-3, 2008

TRUST, Berkeley Meetings, March 19-21, 2007 Score Analysis Average score is computed Each score is compared to the average Deviance determined by a threshold Threshold Setting Threshold BoundsNode Number Score Mean Score LineSuspected Deviant Node April 2-3, 2008

TRUST, Berkeley Meetings, March 19-21, 2007 Threshold Requirements Threshold varies for each scenario – Representative of a percentage deviation required for suspicion of a node Variability of thresholds is a weakness of CCIDS Can cause generation of false positives – Reduced by selecting proper threshold – Minimal baseline threshold is possible – system may never converge April 2-3, 2008

TRUST, Berkeley Meetings, March 19-21, 2007 Required Thresholds for Proper Detection (CCIDS) Deviant node pervasion yields linear change in threshold Number of nodes has negligible impact on threshold requirements 0.2 represents 100% deviation in this figure – Detects only nodes that vary significantly 0.02 represents a 10% deviation – More sensitive to smaller node deviations April 2-3, 2008

TRUST, Berkeley Meetings, March 19-21, 2007 Selecting Detection Phases HybridState object determines if transition point has been reached If one of the results from CCIDS matches a suspected node from MDS, a match is considered found April 2-3, 2008

TRUST, Berkeley Meetings, March 19-21, 2007 Transitioning between phases Increasing the deviant node pervasion requires more tuning cycles Threshold adjusted once per tuning cycle Figure represents an average for all node sizes – # transition cycles is independent of node cluster size April 2-3, 2008

TRUST, Berkeley Meetings, March 19-21, 2007 HybrIDS Implementation Implemented in Java 5 (1.5) – Introduces Code Portability ARM9 development board target 2.73 KB memory footprint for a 35-agent system with 10 behaviors – MDS and CCIDS use a shared data structure Storage footprint less than 46 KB Flexible interface implementation – TCP/UDP for network interface – Disk-based access for simulation – RS-232/Serial interface possible April 2-3, 2008

TRUST, Berkeley Meetings, March 19-21, 2007 Outline Motivation Methods Results Application to SCADA "A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson 20 April 2-3, 2008

TRUST, Berkeley Meetings, March 19-21, 2007 Analysis of HybrIDS Performance HybrIDS can reliably detect deviant nodes upto 22% pervasion 25% pervasion and up removes element of determinacy Scalability by percentage pervasion Number of nodes in cluster does not affect scalability concerns Graph includes total time – MDS, transition and CCIDS cycles April 2-3, 2008

TRUST, Berkeley Meetings, March 19-21, 2007 Operational Footprint HybrIDS with its JVM uses 5MB of application memory (Linux ) Maximum power requirement is 5 watts + idle power of ARM9 platform "A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson 22 April 2-3, 2008

TRUST, Berkeley Meetings, March 19-21, 2007 Outline Motivation Methods Results Application to SCADA "A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson 23 April 2-3, 2008

TRUST, Berkeley Meetings, March 19-21, 2007 HybrIDS and SCADA HybrIDS is optimized for homogeneous ad-hoc networks While heterogenous, SCADA contains homogeneous components that can exploit HybrIDS’s potential HybrIDS can operate on RTU nodes within SCADA infrastructure "A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson 24 April 2-3, 2008

TRUST, Berkeley Meetings, March 19-21, 2007 HybrIDS and SCADA (cont’d) SCADA is migrating increasingly to vulnerable network infrastructures – WAN – WLAN HybrIDS can be used to detect attack methods on these networks – DDOS and packet drops alter interaction request frequencies – Targeting of a specific node is easily detected by multiple HybrIDS-enabled nodes "A Distributed Intrusion Detection System for Resource- Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson 25 April 2-3, 2008

TRUST, Berkeley Meetings, March 19-21, 2007 Conclusion HybrIDS provides a flexible IDS framework for ad-hoc networks Distributed nature allows for seamless integration and reliability Can easily integrate into existing frameworks, such as SCADA Offers scalable performance for multiple anomaly detection "A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson 26 April 2-3, 2008 ARM9 Development Platform