Presentation is loading. Please wait.

Presentation is loading. Please wait.

Intrusion Detection Techniques for Mobile Wireless Networks Zhang, Lee, Yi-An Huang Presented by: Alex Singh and Nabil Taha.

Published byNeal Blair Modified over 9 years ago

Similar presentations

Presentation on theme: "Intrusion Detection Techniques for Mobile Wireless Networks Zhang, Lee, Yi-An Huang Presented by: Alex Singh and Nabil Taha."— Presentation transcript:

1 Intrusion Detection Techniques for Mobile Wireless Networks Zhang, Lee, Yi-An Huang Presented by: Alex Singh and Nabil Taha

2 Outline 1.Introduction 2.Intrusion Detection and the Challenges of Mobile Ad-Hoc Networks 3.An Architecture for Intrusion Detection 4.Anomaly Detection in Mobile Ad-Hoc Networks 5.Experimental Results 6.Conclusion

3 Introduction Rapid proliferation of wireless networks changed the landscape of network security Traditional firewalls and encryption software no longer sufficient Need new mechanisms to protect wireless networks and mobile computing application

4 Checklist Examine vulnerabilities of wireless networks Discuss intrusion detection in security architecture for mobile computing environment Evaluate such architecture through simulation experiments

5 Vulnerabilities of Wireless Networks Wireless links leaves the network susceptible to –Passive eavesdropping –Active interfering Mobile nodes are capable of roaming independently Decision-making in wireless networks rely on cooperative algorithms

6 Intrusion Detection and the Challenges of Mobile Ad-Hoc Networks Intrusion – Any set of actions that attempt to compromise the integrity, confidentiality, or availability of a resource Intrusion Prevention – Primary defense (i.e. Passwords, Biometrics) Intrusion Detection Systems (IDSs)– Second wall of defense

7 Categories of IDSs Network-based IDS – Runs at the gateway of a network and examines network packets that go through the network hardware interface Host-based IDS – Relies on operating system audit data to monitor and analyze the events generated by programs or users on the host

8 Intrusion Detection Techniques Misuse Detection – uses patterns of well known attacks or weak spots to identify known intrusions. –ex: guessing password, locks account after 4 failed attempts. –Lacks ability to detect newly invented attacks Anomaly Detection – flags activates that differ significantly from the established normal usage. –ex: frequency of program usage much lower or much higher than normal usage –Does not need prior knowledge of attacks –High false positive rate

9 Problems with current IDSs Fixed infrastructure IDS techniques can not be directly applied to mobile ad-hoc networks –Rely on real-time traffic analysis –Must be done at the system for mobile ad-hoc networks and not at a gateway, switch or router Mobile users tend to adopt new operations modes such as disconnected operations

10 Questions for a Viable IDSs What is a good system architecture for building intrusion detection and response systems What are the appropriate audit data sources and how do we detect anomaly based on partial, local audit traces What is a good model of activities in a mobile computing environment that can separate an anomaly from normalcy

11 An Architecture for Intrusion Detection

12 IDS agent

13 Data Collection Gathers streams of real-time audit data from various sources Includes: –System activities –User activities –Communication activities by this node –Communication activities by other nodes within this radio range This supports multi-layered intrusion detection method

14 Local Detection The local detection engine analyzes the local data traces gathered by the local data collection module for evidence of anomalies. Includes both misuse detection or anomaly detection

15 Cooperative Detection Any node can initiate a response if it has strong enough evidence about intrusion If the node only has weak or inconclusive evidence, it can warrant a broader investigation Possible to detect intrusion even when evidence at individual nodes is weak

16 Intrusion Response The type of intrusion response depends on: –Type of intrusion –Type of network protocols –Type of applications –Confidence (or certainty) in the evidence Typical Responses: –Re-initiate communication channels between nodes –Identify compromised node and exclude it

17 Multi-Layer Integrated Intrusion Detection and Response With wireless networks, there are vulnerabilities in multiple layers and intrusion detection module needs to be placed at each layer on each node Need to coordinate intrusion detection and response efforts between layers Enables us to analyze the attack scenario in its entirety

18 Anomaly Detection in Mobile Ad-Hoc Networks Anomaly detection works on the premise that there is intrinsic and observable characteristic of normal behavior that is distinct from that of abnormal behavior We can use a classifier, trained using normal data, to predict what is normally the next event given the previous n events

19 Procedure for Anomaly Detection 1.Select audit data 2.Perform appropriate data transformation 3.Compute classifier using training data 4.Apply classifier to test data 5.Post-process alarms to produce intrusion reports

20 Attack on Routing Protocols Route Logic Compromise – Manipulating routing information –Misrouting: forwarding a packet to an incorrect node –False Message Propagation: distributing a false route update Traffic Patter Distortion – Changes default/normal traffic behavior –Packet dropping –Packet generation with faked source address –Corruption on packet contents –Denial-of-service

21 Audit Data Local Routing Information, including cache entries and traffic statistics Position locater or GPS which is assumed to not be compromised Only local information is used since remote nodes can be compromised

22 Feature Selection Since we use classifiers as detectors we need to select/construct features from the available audit data A large feature set is first constructed to cover a wide range of behaviors Several training runs are conducted and features that occur more than a minimum threshold are selected into the Essential Feature Set

23 Classifier Two classifiers were used in the study RIPPER – A rule induction program, searches the given feature space and computes rules that separate data in appropriate classes SVM light – Support Vector Machine classifier, pre-process the data to represent patterns in much higher dimension than the given feature space

24 Post-processing Choose a parameter l and let the window size be 2l+1 For a region in the current window if there are more abnormal than normal predictions then the entire region is marked abnormal Shift the window and repeat Count all continuous abnormal regions as one intrusion session

25 Detecting Abnormal Updates to Routing Tables Routing table contains at a minimum the next hop to each destination node and the distance Physical movement is measured by distance and velocity The routing table change is measured by the percentage of changed routes – PCR And the percentage of changes of all hops of all the routes – PCH

26 Computing Normal Profile Denote PCR the class (i.e. concept), and distance, velocity, and PCH, etc. the features describing the concept; Use n classes to represent the PCR values in n ranges, ex, we can use 10 classes each representing 10 percentage points - that is, the trace data belongs to n classes Apply a classification algorithm to the data to learn a classifier for PCR Repeat the above for PCH, that is, learn a classifier for PCH

27 Finding Anomalies If abnormal data is not available compute clusters of the deviation scores where each score pair is a point (PCR, PCH) then the outliers can be considered anomalies

28 Detecting Abnormal Activities in Other Layers Anomaly detection in other layers (MAC protocols, application, services, etc.) use a similar approach MAC protocols- form cluster using the deviations of the total number of channel requests and the total number of nodes making the request during a time period s

29 Experimental Results

30

31 Discussion Anomaly detection works much better on a routing protocol in which a degree of redundancy exists within infrastructure DSR embeds a whole source route in each packet dispatched –This makes it harder to hide intrusion by faking a bit of routing information

32 Conclusions Mobile Wireless networks require different techniques to detect intrusions Anomaly detection is a critical part of component of intrusion detection and response Trace analysis and anomaly detection should be done locally and possibly through cooperation with all nodes in the network Paper focused on ad-hoc routing protocols since they are the foundation of a mobile ad-hoc network

33 Conclusions – Routing Protocols Use anomaly detection models constructed using information available from the routing protocols Apply RIPPER and SVM Light to compute classifiers Showed that these detectors in general have good detection performance with SVM Light having better performance

34 Conclusions - findings They noted some disparity in security performance among different types of routing protocols They claimed that protocols with strong correlation among changes of different types of information(location, track and routing message) tend to have better detection performance And on-demand protocols usually work better than table-driven protocols

Download ppt "Intrusion Detection Techniques for Mobile Wireless Networks Zhang, Lee, Yi-An Huang Presented by: Alex Singh and Nabil Taha."

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Security in Mobile Ad Hoc Networks

Security in Mobile Ad Hoc Networks
Sensor-Based Abnormal Human-Activity Detection Authors: Jie Yin, Qiang Yang, and Jeffrey Junfeng Pan Presenter: Raghu Rangan.

Sensor-Based Abnormal Human-Activity Detection Authors: Jie Yin, Qiang Yang, and Jeffrey Junfeng Pan Presenter: Raghu Rangan.
Chapter 19: Computer and Network Security Techniques Business Data Communications, 6e.

Chapter 19: Computer and Network Security Techniques Business Data Communications, 6e.
Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.

Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.
Edith C. H. Ngai1, Jiangchuan Liu2, and Michael R. Lyu1

Edith C. H. Ngai1, Jiangchuan Liu2, and Michael R. Lyu1
 Firewalls and Application Level Gateways (ALGs)  Usually configured to protect from at least two types of attack ▪ Control sites which local users.

 Firewalls and Application Level Gateways (ALGs)  Usually configured to protect from at least two types of attack ▪ Control sites which local users.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
Report on Intrusion Detection and Data Fusion By Ganesh Godavari.

Report on Intrusion Detection and Data Fusion By Ganesh Godavari.
Intrusion Detection Techniques for Mobile Wireless Networks Authors: Yongguang Zhang, HRL Laboratories LLC, Malibu, California. Wenke Lee, College of Computing,

Intrusion Detection Techniques for Mobile Wireless Networks Authors: Yongguang Zhang, HRL Laboratories LLC, Malibu, California. Wenke Lee, College of Computing,
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Unsupervised Intrusion Detection Using Clustering Approach Muhammet Kabukçu Sefa Kılıç Ferhat Kutlu Teoman Toraman 1/29.

Unsupervised Intrusion Detection Using Clustering Approach Muhammet Kabukçu Sefa Kılıç Ferhat Kutlu Teoman Toraman 1/29.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Security of wireless ad-hoc networks. Outline Properties of Ad-Hoc network Security Challenges MANET vs. Traditional Routing Why traditional routing protocols.

Security of wireless ad-hoc networks. Outline Properties of Ad-Hoc network Security Challenges MANET vs. Traditional Routing Why traditional routing protocols.
Security in Wireless Sensor Networks Perrig, Stankovic, Wagner Jason Buckingham CSCI 7143: Secure Sensor Networks August 31, 2004.

Security in Wireless Sensor Networks Perrig, Stankovic, Wagner Jason Buckingham CSCI 7143: Secure Sensor Networks August 31, 2004.
A survey of commercial tools for intrusion detection 1. Introduction 2. Systems analyzed 3. Methodology 4. Results 5. Conclusions Cao er Kai. INSA lab.

A survey of commercial tools for intrusion detection 1. Introduction 2. Systems analyzed 3. Methodology 4. Results 5. Conclusions Cao er Kai. INSA lab.
Security in Ad Hoc Networks Still an active open area of research. No comprehensive solution suite. More questions than answers. I expect that we have.

Security in Ad Hoc Networks Still an active open area of research. No comprehensive solution suite. More questions than answers. I expect that we have.
seminar on Intrusion detection system

seminar on Intrusion detection system
Testing Intrusion Detection Systems: A Critic for the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory By.

Testing Intrusion Detection Systems: A Critic for the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory By.

Similar presentations

Ads by Google