protecting mobile ad hoc network routing infrastructure with intrusion detection systems yi-an huang...
Post on 28-Dec-2015
218 Views
Preview:
TRANSCRIPT
Protecting Mobile Ad Hoc Network Routing Infrastructure with Intrusion Detection Systems
Yi-an Huang and Wenke LeeCollege of ComputingGeorgia Institute of Technology
Outline
Motivation and Attack Analysis on Mobile Ad Hoc Networks
IDS Design Intrusion Detection
Architecture: Node-based vs. cluster-based Approach: Specification-based vs. statistics-based
Intrusion Response: Traceback and Filtering Future Work
Better machine learning approaches Verification of protocol state machine and distributed
protocols
Mobile Ad Hoc Networks (MANET)
Concepts Mobile hosts with no fixed infrastructure Connected through wireless links No centralized control Multi-hop routing Great potential for a number of new self-managing applications
Characteristics Inadequate physical protection
Node compromise may be more common Mobile routing topology No single traffic concentration point
Gateways, access points, etc. Resource-constrained capability Existing security solutions designed for wired networks may have problems
Motivation Architecture Case Study
Routing Attack Example: Sinkhole
Motivation Architecture Case Study
General Assumption
Reliable Communication ChannelBi-directionalFree from loss/congestion
Adversary ModelEvery node in MANET may be compromised,
and with equal probabilityWe focus on attacks on routing protocols
Motivation Architecture Case Study
Attack Analysis in MANET Routing
Traditional attack analysis is based on the knowledge of known incidents. Therefore, it is hard to apply traditional attack analysis in MANET since MANET is a relatively new environment
Our proposed approach: perform taxonomy study on anomalous basic events Decompose routing behavior into basic events
The smallest set of casually-related operations in a single node Anomalous basic events are basic events that do not follow the normal
protocol behavior can be used to define a set of basic attacks conducted on a single node more complicated attacks can be modeled by combinations of anomalous basic
events Taxonomy of anomalous basic events
on the security goals that may be compromised: confidentiality, integrity and availability; and
on the routing elements that may be targeted by attackers: routing and data messages, routing table entries
Motivation Architecture Case Study
Taxonomy of Anomalous Basic Events
Compromise on Security Goals
Events by Targets
Routing Messages Data Packets Routing Table Entries
Confidentiality Location Disclosure
Data Disclosure N/A
Integrity Add Fabrication Fabrication Add Route
Delete Interruption Interruption Delete Route
Change Modification Modification Change Route CostRushing
Availability Flooding Flooding Routing Table Overflow
Bold face represents what an IDS agent is currently capable of.
Motivation Architecture Case Study
Comparison of Security Solutions
Prevention techniques Provide authenticated use and data integrity Con: susceptible to insider attacks, software bugs, etc.
Reputation systems An alternative concept: selfishness is natural Incentives are provided to encourage forwarding Con: only address limited security problem
Intrusion Detection and Response Capture potential misbehavior in real-time (Detection) Identify on attack sources (Traceback) Respond promptly to recover from or minimize damage
(Filtering)
Motivation Architecture Case Study
IDS Architecture
Traceback
Node-BasedDetectionFeature
CollectionFiltering
Cooperative Detection
SecureCommunication
IDS Agent
Intrusion Detection Intrusion Response
Motivation Architecture Case Study
Feature Collection Based on Routing Protocol Specification
Motivation Previously, we manually choose features based on domain
knowledge and heuristics A more systematic approach is preferred
Solution: enumerate possible features derived from a protocol specification described in an extended state machine An Extended Finite State Automaton (EFSA) is a finite-state
machine where transitions and states can carry a finite set of arguments. EFSAs can be derived from protocol implementation, RFCs or other specifications
Define behavior on the routing protocol level Issue: how do we verify the correctness of EFSA?
Case study: AODV (Ad hoc On-demand Distance Vector) Routing Protocol (Perkins’03)
Feature Collection Intrusion Detection Intrusion Response
Example
Semantic Violation: Interruption of Data Packets Statistical Violation: Flooding of Data Packets
Valid[ob, oSeq, nHops, nxt] (T10)DATA?[Src, ob] ->if (ob!=cur) DATA![Src, ob, nxt]
Feature Collection Intrusion Detection Intrusion Response
Two Detection Approaches
Target different anomalous basic events Specification-based detection
Detect violations to the EFSA specification High accuracy assuming that the specification
correctly models all normal behavior in semantics Statistics-based detection
Many attacks do not violate the specification directly The statistics-based approach, equipped with
machine learning tools, can detect abnormal statistical patterns
Statistical features are extracted from states and transitions of EFSA.
Misuse detection vs. anomaly detection
Feature Collection Intrusion Detection Intrusion Response
Anomalous Basic Events Revisited
Compromise on Security Goals
Events by Targets
Routing Messages Data Packets Routing Table Entries
Confidentiality Location Disclosure
Data Disclosure N/A
Integrity Add Fabrication Fabrication Add Route
Delete Interruption Interruption Delete Route
Change Modification Modification Change Route CostRushing
Availability Flooding Flooding Routing Table Overflow
Underlined categories are covered by the specification-based approach
Feature Collection Intrusion Detection Intrusion Response
Feature Selection
Learning-based approaches do not work well with a large number of features
A filter approach based on labeled data Start with the empty set Add a new feature fi
that maximizes the relative entropy of two distrbution functions P(C|G) and P(C|G{f})
Until the relative entropy is insignificant Efficient in practice
Gi+1= Gi{f}
Go= {}
x xq
xpxpqpD
)(
)(log)()||(
Feature Collection Intrusion Detection Intrusion Response
Node-Based Detection vs. Cooperative Detection
Node-based detection IDS agents operate on every MANET node The only reliable features are those collected by the local feature collection
module Most secure and reliable. But may suffer from
ineffectiveness due to inconclusive evidence inefficiency due to redundant feature computation
Cluster-based detection Group nodes into clusters. Each cluster has certain number of special
nodes, or clusterheads Only a clusterhead runs the IDS agent to monitor for the whole
neighborhood Limitation: best-effort service
Design Criteria Fairness: Don’t elect me, too much work! Security: Control the clusterheads, control everything! Classical cluster protocols do not satisfy these requirements
min ID max degree
Feature Collection Intrusion Detection Intrusion Response
Cluster Formation Protocol
Start with clique computation Each clique member chooses a random input ri and
broadcasts the input Each member independently computes the initial seed by
XOR-ing all inputs
XOR function guarantees the output to be random as long as at least one input is truly random
In fact, inputs are broadcast through a two-round protocol to avoid a delayed-response attack
A sequence of m clusterheads is generated using PRNG A consistency protocol ensures that the same clusterheads
are elected through role acknowledgement Clustheads are re-elected after a certain timeout
H(r1,r2,…rn)= r⊕ i
Feature Collection Intrusion Detection Intrusion Response
Discussion
Fairness Concern Clusterhead Computation: short-term fairness Periodical re-election: long-term fairness
Security Concern Defend against clusterhead compromise
Short-term and long-term fairness Mutual monitoring
Defend against attacks on the consistency protocol A node can refuse to participate until it is elected A node can refuse to be a clusterhead but join the same (or another)
cluster later Detecting these attacks may be complicated due to node mobility Improved version
A retreat counter is recorded on every member for every other members Meeting certain threshold is considered an violation Retreat counter is reset periodically
Feature Collection Intrusion Detection Intrusion Response
Cluster-Based Detection Models
Similar approaches can be applied Specification-based Statistics-based
Feature collection A randomly chosen cluster member computes the
necessary features at every sampling period Reduce redundant feature computation Communication overhead may be further reduced by having
“common” features computed directly by the clusterhead Clusterhead-controlled features
Capable of developing new detection rules that involve features from multiple nodes
Feature Collection Intrusion Detection Intrusion Response
IP Traceback
What about IP spoofing? IDS detects attacks based on behavior, but taking proper
countermeasures would be hard without knowing the true identities of attack sources
A proper authentication system in place may solve the problem, but it is not universally available
Traditional traceback solutions are unsuitable Hop-by-hop tracing requires collaborative routers and
knowledge about global topology Packet marking and ICMP traceback require static
routes
Feature Collection Intrusion Detection Intrusion Response
Hotspot-Based Traceback Protocol
Fully distributed, working in mobile topology and with arbitrary number of compromised nodes
Based on the hash-based traceback (Snoeren’01) Use Bloom Filters to store the packet digest whenever a
packet was forwarded Extend from the original Bloom Filter
Store TTL along with each stored packet Reconstruct original attack path based on replies
with the additional information Resilient from malicious routers and inaccurate TTL
Detect “hotspots” where adversaries are contained
Feature Collection Intrusion Detection Intrusion Response
Packet Filtering
Currently focus on filtering a single attack flow End-host filtering
Stop selective flows based on source addresses Effective only when flows are not spoofed
Fast filtering Rely on Hotspot-based Traceback Filter on intermediate routers in the attack path Optimize with linear programming
Maximize attack packet dropping rate Minimize normal packet dropping rate
Feature Collection Intrusion Detection Intrusion Response
Conclusions & Future Work
Intrusion detection and response is a critical security component in MANET
We propose a new MANET IDS architecture Working under the specific assumptions based on the
MANET characteristics Highly effective in detecting well-known routing attacks
Future work Improve feature selection approaches Verification of
EFSA specification Cluster Formation Protocol Hotspot-Based Traceback Protocol
top related