intrusion detection for wireless sensor networks qualifying exam 28 th april 2005 presented by edith...
TRANSCRIPT
Intrusion Detection for Wireless Sensor Networks
Qualifying Exam28th April 2005
Presented by Edith NgaiSupervised by Prof. Michael R. Lyu
Outline
• Background
• Research direction
• Intrusion detection for WSN
• Tracing network attacks
• Conclusion & Proposed future work
Technology trend
• Small integrated devices• Smaller, cheaper, more powerful
• PDAs, mobile phones
• Many opportunities, and research areas• Power management
• Distributed algorithms
Wireless sensor networks
• Wireless sensor node• power supply
• sensors
• embedded processor
• wireless link
• Many, cheap sensors• wireless easy to install
• intelligent collaboration
• low-power long lifetime
Possible applications
• Military• Asset monitoring and management, battlefield
surveillance, biological attack detection
• Ecological• fire detection, flood detection, agricultural uses
• Health related• Medical sensing, microsurgery
• General engineering• car theft detection, inventory control, residential
security
Requirements
• Low energy use
• Efficient use of small memory
• In-network data processing• large amounts of raw data
• limited power and bandwidth
• Efficient data routing
• Node localization
WSN vs MANET
WSN MANET
Goal Detection / estimation of some events of interest Simply communications
Communication pattern Specialized to:Many-to-oneOne-to-manyLocal communications
Typically support routing between any pair of nodes
Energy/resources constrained
More Less
Mobility Mostly not mobile Mostly mobile
Cooperation among nodes
More cooperative, exhibit trust relationships Less cooperative
Security mechanism Authentication and routing based on public key cryptography is too expensive
Both public key or asymmetric cryptography can be applied
Routing Distance vector and source routing protocols are generally too expensive
Support different types of routing protocols
Security in WSN
• Main security threats in WSN are:• Radio links are insecure – eavesdropping /
injecting faulty information is possible
• Sensor nodes are not temper resistant – if it is compromised the attacker obtains all security information
• Protecting confidentiality, integrity, and availability of the communications and computations
Why security is different?
•Sensor Node Constraint
•Battery
•CPU power
•Memory
•Networking Constraints and Features
•Wireless
•Ad hoc
•Unattended
Network defense
Protect - Encryption - Firewalls - Authentication - Biometrics
Detect - Intrusions - Attacks - Misuse of Resources - Data Correlation - Data Visualization - Malicious S/W - Network Status/
Topology
React - Response - Terminate Connections - Block IP Addresses - Containment - Fishbowl - Recovery - Reconstitute
What is intrusion detection?
• Intrusion detection is the process of discovering, analyzing, and reporting unauthorized or damaging network or computer activities
• Intrusion detection discovers violations of confidentiality, integrity, and availability of information and resources
• Intrusion detection demands:• As much information as the computing
resources can possibly collect and store
• Experienced personnel who can interpret network traffic and computer processes
• Constant improvement of technologies and processes to match pace of Internet innovation
What is intrusion detection?
How useful is intrusion detection?
• Provide digital forensic data to support post-compromise law enforcement actions
• Identify host and network misconfigurations• Improve management and customer
understanding of the Internet's inherent hostility
• Learn how hosts and networks operate at the operating system and protocol levels
Intrusion detection models
• All computer activity and network traffic falls in one of three categories:
• Normal
• Abnormal but not malicious
• Malicious
• Properly classifying these events are the single most difficult problem -- even more difficult than evidence collection
Intrusion detection models
• Two primary intrusion detection models• Network-based intrusion detection monitors
network traffic for signs of misuse
• Host-based intrusion detection monitors computer processes for signs of misuse
• So-called "hybrid" systems may do both• A hybrid IDS on a host may examine network
traffic to or from the host, as well as processes on that host
IDS paradigms
• Anomaly Detection – look for abnormal
• Misuse Detection – pattern matching
• Burglar Alarms - policy based detection
• Honey Pots - lure the hackers in
• Hybrids - a bit of this and that
Anomaly detection
• Goals:• Analyze the network or system and infer what
is normal
• Apply statistical or heuristic measures to subsequent events and determine if they match the model/statistic of “normal”
• If events are outside of a probability window of “normal”, it generates an alert
Anomaly detection (cont)
• Typical anomaly detection approaches:• Neural networks - probability-based pattern
recognition
• Statistical analysis - modeling behavior of users and looking for deviations from the norm
• State change analysis - modeling system’s state and looking for deviations from the norm
Misuse detection
• Goals:• Know what constitutes an attack
• Detect it
• A database of known attack signatures should be maintained
Misuse detection (cont)
• Typical misuse detection approaches:• “Network grep” - look for strings in network
connections which might indicate an attack in progress
• Pattern matching - encode series of states that are passed through during the course of an attack
• e.g.: “change ownership of /etc/passwd” -> “open /etc/passwd for write” -> alert
Types of attack
• Physical attack• Physical damage, destroy, tamper
• MAC layer attack• Jamming
• Network layer attack• Misdirection on routing• Selective forwarding• Sinkhole attack• Wormhole attack• Sybil attack• Rushing attack• Hello flood attack
• Application layer attack• Denial of service
Research proposal
Intrusion Detection
Anomaly DetectionPattern Reognition
...
Intrusion Tracing
Route TrackingTopology Overview
Attack Analysis...
Intrusion ReactionNode Isolation
Certificate Revocation...
Audit DataSensing Results Routing InformationNode Behaviors Network Topology
Data CollectionLocalization Data Fusion Routing
Behavior Monitoring History Recording Intrusion Detection Framework
Attack TypesDetected
AttackerLocated
Audit data
• Application data from sensors
• Routing information
• Node behavior record
• Network topology
Procedures
• Intrusion Detection• Discover suspicious activity from audit data
• Detect the intrusions
• Classify the type of intrusions
• Intrusion Tracing• Trace of source of intrusions
• Identify and locate the intruders
• Intrusion Reaction• Resist to the intrusions
• Defend against further intrusions
Network model
•BSj: base station at location (Xj, Yj)
•Si: sensor node at location (xi, yi)
•R: transmission range of the base station
•r: transmission range of the sensor node
•k-coverage: a node covers by k BSs
Definitions
• Coverage of a base station
• Number of coverage from base stations
• p sends data to q successfully (in 1-hop)
• p sends data to q successfully via k hops
• p fails in sending data from p to q
}:{ RBSppC ii
}1|...{ 2 NiBSiBSiBSipS jkik
Gqprqpqp s ,
):|},...,1{,(
|,..., 112
1111
qpppppjikji
qpppppGppqp
iiji
ski
si
ki
skk
s
qtopfromontransmissionfailureqp f ______
Types of intrusions
• Sinkhole SH(q), HelloFlood HF(q)• A region of nodes will forward packets
destined for a BS through an adversary
• Wormhole WH(q)• An adversary tunnels messages received in
one part of the network over a low latency link and replays them in a different part
Types of intrusions
• Missing Data MD(Ci)• Missing data from p to BSi
• Wrong Data (local) WDL(p)• Inconsistent data
• Selective Forwarding / Interference• Sensor p does not forward data to its
neighboring nodes
iif CpBSp |
mis
iw dBSpNdBSpd ))(()(
)( pNp f
Architecture
History
Route Tracing
Data Fusion (local,global)
TopologyNeighboringMonitoring Data Collection
RoutingMissing Data?
Inconsistent Data?
Intrusion Type Identification
Yes
Yes
Intrusion Location
Intrusion Reaction
Suspicious Behavior?
Yes
Suspicious Routes?
Yes
Intrusion detection components
• Data fusion• Local – neighboring nodes
• Global – overlapping areas
• Topology discovery
• Route tracing
• History
• Neighbor monitoring • Watchdog
Intrusion detection
Components\Attack Types I II III IV V
Neighbor Monitoring
BS Dominating intermediate node
Dominating intermediate node
Selective forwarding
N/A N/A
Sensor N/A N/A Selective forwarding
N/A Interference (jamming with neighbors)
Data Fusion Global (may have missing or inconsistent data)
(may have missing or inconsistent data)
Missing data Inconsistent data (IVa – malicious sensor or intermediate nodes)
Missing data
Local (may have missing or inconsistent data)
(may have missing or inconsistent data)
Missing data Inconsistent data (IVb – sensor failure or being compromised)
Missing data
Routing (with topology info.)
BS a region of nodes forward packet through the same adversary
An adversary tunnels messages and replays them in a different part
N/A N/A N/A
Attack Types: I - Sinkhole, Hello Flood II – Wormhole III – Missing DataIV – Wrong Data V - Interference
Related work
• “dead” node• cases sending or routing measurement as died
• “silent” node• Ceases sending but status not determined
Tracing sinkhole attack
• Adversary lures nearly all traffic from a particular area through a compromised node
• Attracts network traffic by advertising a high quality path to the BS
• Common kind of violation is
selective forwarding1
Attack region detection
• The BS can detect the list of nodes affected by the intrusions• Missing data
• Inconsistent data
• Circle the attack area
Probing
• Collect the next hop, hop counts from the nodes in the affected area
1. At the beginning of a suspicious sinkhole attack occurs
BS -> N(x): <probing, BSi>
2. When a probing message is received from N(x)
x -> y (neighbors of x): <probing, x, BSi>
3. When node y receives a probing messagey -> x: <y, shortest_next_hop, shortest_hop_count>
(routing information to BS)
y -> y’ (neighbors of y): <probing, y, BSi>
4. The processes (3) repeats until the request messages reach the boundary of the attack area
2
2
2
3
3
34
4
4 4
4
4
34
3
3
4
4
344
3
4
4
3
2
21
SH 2
Identify the sinkhole• Sinkhole does not have
outgoing edges
• Incoming edges to sinkhole should provide minimum no. of hop counts to BS
2
2
2
3
3
34
4
4 4
4
4
34
3
3
4
4
344
3
4
4
3
2
2
1SH 2
Search from the leaf nodes
to the root (Sinkhole)
1
3
3
3
3
3
3
3
2
33
3
2
2
1A
B
SH’
SH
(a)
(c)
(b)
(d)
SH’
SH
C
D
E
F
GH
With colluding nodes
Attack area with colluding nodes (a) missing information (b) cycles(c) misleading sinkhole (d) identification sinkhole using hop counts
Missing information
Misleading Sinkhole
Routing loop
Wrong routing information
Enhanced algorithm
• Finding array on hop countsfor each root r
initialize a new array countcheckRootByCount(r, count, 1);if (count[0] => numNode(r)/2)
r is a correct root.end if
end for
checkRootByCount (Node r, Array count, int depth)depth = depth +1for each precedent node p of r
increase count[ w(p,r) – depth ] by 1 checkRootByCount (p, count, depth)
end forend checkRootByCount
h -2 -1 0 1 2
Count[h] 0 0 n 0 0
Calculate the array “Count”
Call method “checkRootByCount”
for each roots
Enhanced algorithmfor each root r
initialize a new Array countinitialize a new Path correctPath
checkRootByCount(r, count, 1)
S = {x>0 | forall y>0, count[x]+count[-x]>count[y]+count[-y]}x = min (S)
correctRoot(r, r, x, 0, correctPath , count[0])apply correctPath on Network G
end for
correctRoot (Node r, Path p, int totalLevel, int currentLevel, Path correctPath, int bestCount)
if (currentLevel >= totalLevel)return
end if
currentLevel= currentLevel+1for each precedent node c of r
initialize a new Array countreverse edge (c,r)
checkRootByCount (c, count, 1)if (count[0]> bestCount)
correctPath = p->cend ifcorrectRoot(c, p->c, totalLevel, currentLevel, correctPath , bestCount)
reverse edge(c,r)end for
end correctRoot
Correct the root by specifying another suspicious Sinkhole
Calculate the array “Count” again
Calculate no. of hop counts for
correction
Select the best result
2
3
2
3
3
34
4
4 4
4
4
34
2 3
3
4
4
344
3
4
4
3
22
1A
SH’
SH
Example – Before correction
i -2 -1 0 1 2
Count[i] 0 14 8 6 0
1
Value provided by node X
= 4
Deduced value from X to SH’
= 3
Count of node X
= 4 – 3 = 1
(=>SH should be 1 hop farther away than SH’)
X
Value provided by node Y
= 3
Deduced value from Y to SH’
= 4
Count of node Y
= 3 – 4 = -1
(=>SH should be 1 hop closer than SH’)
Y
Example – After correction
i -2 -1 0 1 2
Count[i] 0 1 21 6 0
Value provided by node X
= 4
Deduced value from X to SH’
= 4
Count of node X
= 4 – 4 = 0
(=>hop count agrees with SH)
X
Value provided by node Y
= 3
Deduced value from Y to SH’
= 3
Count of node Y
= 3 – 3 = 0
(=>hop count agrees with SH)Y2
3
2
3
3
34
4
4 4
4
4
34
2 3
3
4
4
344
3
4
4
3
2
2
1A
SH’
SH
Required technologies
• Collection of the audit data• Localization• Data fusion• Routing
• Analysis on the audited data• Identifying the intrusion characteristics• Detecting the intrusions• Locating the intrusions
• Intrusion reaction
Proposed work
• Study how to collect the audit data effectively and complete the intrusion detection architecture
• Investigate the methods to analyze the audited data for intrusion detection
• Propose new methods to identify and locate the intruders (for various attacks)
• Study and explore reactive measures to defend against the detected intrusions
• Formulate and evaluate our intrusion detection framework which is expected to be effective in detecting and resisting to the many types of intrusions
Conclusion
• We discussed the characteristics of WSN and its security issues
• We studied traditional intrusion detection technologies
• We introduced our intrusion detection framework in our research proposal
• We proposed an intrusion detection architecture and analyzed some kinds of intrusions can be detected
• We proposed an algorithm for tracing Sinkhole attack for WSN
• We presented our proposed future work