Presentation is loading. Please wait.

Presentation is loading. Please wait.

TRUST, Berkeley Meetings, March 19-21, 2007 A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks Adrian P. Lauf,

Published byWinifred Kennedy Modified over 9 years ago

Similar presentations

Presentation on theme: "TRUST, Berkeley Meetings, March 19-21, 2007 A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks Adrian P. Lauf,"— Presentation transcript:

1 TRUST, Berkeley Meetings, March 19-21, 2007 A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks Adrian P. Lauf, Richard A. Peters and William H. Robinson April 2-3, 2008

2 TRUST, Berkeley Meetings, March 19-21, 2007 Outline Motivation Methods Results Application to SCADA "A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson 2 April 2-3, 2008

3 TRUST, Berkeley Meetings, March 19-21, 2007 Outline Motivation Methods Results Application to SCADA "A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson 3 April 2-3, 2008

4 TRUST, Berkeley Meetings, March 19-21, 2007 What is HybrIDS? Hybrid, Distributed, Embedd- able IDS: (HybrIDS) Identify deviant activity on ad-hoc network Distributed implementation strategy Utilize multiple detection strategies – Zero-knowledge phase – Calibration-based phase Function on resource- constrained devices Integrate with SCADA (Supervisory Control And Data Acquisition) networks "A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson 4 April 2-3, 2008

5 TRUST, Berkeley Meetings, March 19-21, 2007 Why HybrIDS for SCADA? SCADA implementations are becoming increasingly less localized Wireless and IP-based networks present a significant security vulnerability Sensor/Actuator nodes have no inherent security built in Designed with scalability in mind "A Distributed Intrusion Detection System for Resource- Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson 5 April 2-3, 2008

6 TRUST, Berkeley Meetings, March 19-21, 2007 Why is HybrIDS different? It is decentralized – Reduce dependence on a single system – Reduce power consumption Reduce compute-intensive operations – Allows for group consensus decisions Each unit maintains a model of the world – Reduces chance of tampering with a centralized system It is resource constrained – Runs well on embedded Linux platforms It is portable – Uses abstraction to eliminate context exclusivity – Coded in Java for enhanced portability It is adaptable – HybrIDS can abstract many ad-hoc network scenarios: Autonomous aircraft networks and avionic protocols (ADS-B) Swarm-based microrobotics Self-contained sensor nodes "A Distributed Intrusion Detection System for Resource- Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson 6 April 2-3, 2008

7 TRUST, Berkeley Meetings, March 19-21, 2007 What can HybrIDS do? Identify single or multiple anomalies on an ad- hoc network Adaptable to various attack configurations – DOS – Timed attacks – Command injection – Network disruption Locate deviant nodes with zero prior knowledge of system architecture Adapt to system changes in a scalable manner "A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson 7 April 2-3, 2008

8 TRUST, Berkeley Meetings, March 19-21, 2007 Outline Motivation Methods Results Application to SCADA "A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson 8 April 2-3, 2008

9 TRUST, Berkeley Meetings, March 19-21, 2007 Simplifying by Abstraction Node interactions classified by labels Interaction histories recorded – Each node maintains action histories from its point of view Abstraction permits context independence – Applicable to any system using predetermined actions Action 1 Action n-1 Action n Node 113025 Node 223220 Node 315022 Node 412280 April 2-3, 2008

10 TRUST, Berkeley Meetings, March 19-21, 2007 Why a hybrid approach? Phase 1 requires no training data Can isolate a single anomaly Phase 2 requires training data Can detect multiple anomalies More flexible to system changes Phase 1 Phase 2 Time Progression April 2-3, 2008

11 TRUST, Berkeley Meetings, March 19-21, 2007 Detection Method: Maxima Analysis: Setup Histograms formed for each connected node – Node A will track B, C, and D. Average system behavior obtained by averaging across observed nodes Bins correspond to action labels Data must be normalized to a distribution – E.g. Gaussian, Chi 2 Σ/(n-1) Labels.......... Nodes Avg. behavioral PDF for system April 2-3, 2008

12 TRUST, Berkeley Meetings, March 19-21, 2007 Maxima Detection Algorithm Resultant vector yields approximate PDF Find global maximum, exclude it Identify, mark local maxima Local maximum yields likely intrusion-motivated behaviors Reverse-map this label to node with most frequent occurrence 12 April 2-3, 2008

13 TRUST, Berkeley Meetings, March 19-21, 2007 Detection Method: Cross-correlation 13 Labels.......... Nodes Σ/(n-1) 13 = Score Average PDF April 2-3, 2008

14 TRUST, Berkeley Meetings, March 19-21, 2007 Score Analysis Average score is computed Each score is compared to the average Deviance determined by a threshold Threshold Setting Threshold BoundsNode Number Score Mean Score LineSuspected Deviant Node April 2-3, 2008

15 TRUST, Berkeley Meetings, March 19-21, 2007 Threshold Requirements Threshold varies for each scenario – Representative of a percentage deviation required for suspicion of a node Variability of thresholds is a weakness of CCIDS Can cause generation of false positives – Reduced by selecting proper threshold – Minimal baseline threshold is possible – system may never converge April 2-3, 2008

16 TRUST, Berkeley Meetings, March 19-21, 2007 Required Thresholds for Proper Detection (CCIDS) Deviant node pervasion yields linear change in threshold Number of nodes has negligible impact on threshold requirements 0.2 represents 100% deviation in this figure – Detects only nodes that vary significantly 0.02 represents a 10% deviation – More sensitive to smaller node deviations April 2-3, 2008

17 TRUST, Berkeley Meetings, March 19-21, 2007 Selecting Detection Phases HybridState object determines if transition point has been reached If one of the results from CCIDS matches a suspected node from MDS, a match is considered found April 2-3, 2008

18 TRUST, Berkeley Meetings, March 19-21, 2007 Transitioning between phases Increasing the deviant node pervasion requires more tuning cycles Threshold adjusted once per tuning cycle Figure represents an average for all node sizes – # transition cycles is independent of node cluster size April 2-3, 2008

19 TRUST, Berkeley Meetings, March 19-21, 2007 HybrIDS Implementation Implemented in Java 5 (1.5) – Introduces Code Portability ARM9 development board target 2.73 KB memory footprint for a 35-agent system with 10 behaviors – MDS and CCIDS use a shared data structure Storage footprint less than 46 KB Flexible interface implementation – TCP/UDP for network interface – Disk-based access for simulation – RS-232/Serial interface possible April 2-3, 2008

20 TRUST, Berkeley Meetings, March 19-21, 2007 Outline Motivation Methods Results Application to SCADA "A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson 20 April 2-3, 2008

21 TRUST, Berkeley Meetings, March 19-21, 2007 Analysis of HybrIDS Performance HybrIDS can reliably detect deviant nodes upto 22% pervasion 25% pervasion and up removes element of determinacy Scalability by percentage pervasion Number of nodes in cluster does not affect scalability concerns Graph includes total time – MDS, transition and CCIDS cycles April 2-3, 2008

22 TRUST, Berkeley Meetings, March 19-21, 2007 Operational Footprint HybrIDS with its JVM uses 5MB of application memory (Linux 2.6.22) Maximum power requirement is 5 watts + idle power of ARM9 platform "A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson 22 April 2-3, 2008

23 TRUST, Berkeley Meetings, March 19-21, 2007 Outline Motivation Methods Results Application to SCADA "A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson 23 April 2-3, 2008

24 TRUST, Berkeley Meetings, March 19-21, 2007 HybrIDS and SCADA HybrIDS is optimized for homogeneous ad-hoc networks While heterogenous, SCADA contains homogeneous components that can exploit HybrIDS’s potential HybrIDS can operate on RTU nodes within SCADA infrastructure "A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson 24 April 2-3, 2008

25 TRUST, Berkeley Meetings, March 19-21, 2007 HybrIDS and SCADA (cont’d) SCADA is migrating increasingly to vulnerable network infrastructures – WAN – WLAN HybrIDS can be used to detect attack methods on these networks – DDOS and packet drops alter interaction request frequencies – Targeting of a specific node is easily detected by multiple HybrIDS-enabled nodes "A Distributed Intrusion Detection System for Resource- Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson 25 April 2-3, 2008

26 TRUST, Berkeley Meetings, March 19-21, 2007 Conclusion HybrIDS provides a flexible IDS framework for ad-hoc networks Distributed nature allows for seamless integration and reliability Can easily integrate into existing frameworks, such as SCADA Offers scalable performance for multiple anomaly detection "A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson 26 April 2-3, 2008 ARM9 Development Platform

Download ppt "TRUST, Berkeley Meetings, March 19-21, 2007 A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks Adrian P. Lauf,"

Similar presentations

IEEE INFOCOM 2004 MultiNet: Connecting to Multiple IEEE 802.11 Networks Using a Single Wireless Card.

IEEE INFOCOM 2004 MultiNet: Connecting to Multiple IEEE Networks Using a Single Wireless Card.
anywhere and everywhere. omnipresent A sensor network is an infrastructure comprised of sensing (measuring), computing, and communication elements.

anywhere and everywhere. omnipresent A sensor network is an infrastructure comprised of sensing (measuring), computing, and communication elements.
1 Intrusion Monitoring of Malicious Routing Behavior Poornima Balasubramanyam Karl Levitt Computer Security Laboratory Department of Computer Science UCDavis.

1 Intrusion Monitoring of Malicious Routing Behavior Poornima Balasubramanyam Karl Levitt Computer Security Laboratory Department of Computer Science UCDavis.
Josh Alcorn Larry Brachfeld An in depth review of ad hoc mobile network & cloud security concerns.

Josh Alcorn Larry Brachfeld An in depth review of ad hoc mobile network & cloud security concerns.
Report on Common Intrusion Detection Framework By Ganesh Godavari.

Report on Common Intrusion Detection Framework By Ganesh Godavari.
Decentralized Reactive Clustering in Sensor Networks Yingyue Xu April 26, 2015.

Decentralized Reactive Clustering in Sensor Networks Yingyue Xu April 26, 2015.
Application of Bayesian Network in Computer Networks Raza H. Abedi.

Application of Bayesian Network in Computer Networks Raza H. Abedi.
Mitigating Routing Misbehavior in Mobile Ad Hoc Networks By Sergio Marti, T.J. Giuli, Kevin Lai, & Mary Baker Department of Computer Science Stanford University.

Mitigating Routing Misbehavior in Mobile Ad Hoc Networks By Sergio Marti, T.J. Giuli, Kevin Lai, & Mary Baker Department of Computer Science Stanford University.
Sogang University ICC Lab Using Game Theory to Analyze Wireless Ad Hoc networks.

Sogang University ICC Lab Using Game Theory to Analyze Wireless Ad Hoc networks.
Extensible Networking Platform 1 1 - IWAN 2005 Extensible Network Configuration and Communication Framework Todd Sproull and John Lockwood

Extensible Networking Platform IWAN 2005 Extensible Network Configuration and Communication Framework Todd Sproull and John Lockwood
Panoptes: A Scalable Architecture for Video Sensor Networking Applications Wu-chi Feng, Brian Code, Ed Kaiser, Mike Shea, Wu-chang Feng (OGI: The Oregon.

Panoptes: A Scalable Architecture for Video Sensor Networking Applications Wu-chi Feng, Brian Code, Ed Kaiser, Mike Shea, Wu-chang Feng (OGI: The Oregon.
Dept. of Computer Science & Engineering, CUHK1 Trust- and Clustering-Based Authentication Services in Mobile Ad Hoc Networks Edith Ngai and Michael R.

Dept. of Computer Science & Engineering, CUHK1 Trust- and Clustering-Based Authentication Services in Mobile Ad Hoc Networks Edith Ngai and Michael R.
Adrian Lauf, Jonathan Wiley, William H. Robinson, Gabor Karsai (Vanderbilt ISIS) Tanya Roosta (Berkeley) 1.

Adrian Lauf, Jonathan Wiley, William H. Robinson, Gabor Karsai (Vanderbilt ISIS) Tanya Roosta (Berkeley) 1.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
CS 239: Advanced Security Spring 04 Security in Pervasive and Ubiquitous Environments Sam Irvine

CS 239: Advanced Security Spring 04 Security in Pervasive and Ubiquitous Environments Sam Irvine
A New Household Security Robot System Based on Wireless Sensor Network Reporter :Wei-Qin Du.

A New Household Security Robot System Based on Wireless Sensor Network Reporter :Wei-Qin Du.
An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks Edith Ngai, Michael R. Lyu, and Roland T. Chin IEEE Aerospace Conference, Big.

An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks Edith Ngai, Michael R. Lyu, and Roland T. Chin IEEE Aerospace Conference, Big.
Security in Wireless Sensor Networks Perrig, Stankovic, Wagner Jason Buckingham CSCI 7143: Secure Sensor Networks August 31, 2004.

Security in Wireless Sensor Networks Perrig, Stankovic, Wagner Jason Buckingham CSCI 7143: Secure Sensor Networks August 31, 2004.
The Bio-Networking Architecture: An Infrastructure of Autonomic Agents in Pervasive Networks Jun Suzuki netresearch.ics.uci.edu/bionet/

The Bio-Networking Architecture: An Infrastructure of Autonomic Agents in Pervasive Networks Jun Suzuki netresearch.ics.uci.edu/bionet/
Probability Grid: A Location Estimation Scheme for Wireless Sensor Networks Presented by cychen Date : 3/7 In Secon (Sensor and Ad Hoc Communications and.

Probability Grid: A Location Estimation Scheme for Wireless Sensor Networks Presented by cychen Date : 3/7 In Secon (Sensor and Ad Hoc Communications and.

Similar presentations

Ads by Google