Intrusion Detection Techniques in Mobile Ad Hoc and Wireless

Sensor Networks - IEEE October 2007

CMSC 681 - Advanced Computer Networks

Oleg Aulov

MANET and WSN No wires, Limited battery life, Limited memory and

processing capability No base stations, Mobile nodes, Nodes relay data

(act as routers) Usually no centralized authority Deployed in adverse or hostile environment Prevention sec.-key distrib. Mgmt. schemes -

doesn’t work once the node is compromised and the secrets leak. Insiders can cause greater damage.

IDS-second line of defence IDS - dynamically monitors the system to detect

compromise of confidentiality, availability and integrity.

Two common types - misuse based - stores database of known attacks anomaly based - creates normal profile of system states

or user behaviors (difficult to built, mobility challenges)

Specification based - manually developed specs, time-consuming

ID in MANET - attacks Routing logic

compromise - blackhole, routing update storm, fabrication,

Traffic Distortion - dropping, coruption, flooding

Others - rushing, wormhole, spoofing

MANET - Existing Research-Zhang et al

Agent attached to each node, performs ID & response individually

Unsupervised method to construct & select feature set (dist, velocity, # hops, etc)

Pattern classification problem - apply RIPPER(decision tree for rule induction) & SVM Light (support vector machine, when data cannot be classified by set of features) algorithms

Post Processing - to eliminate false alarms

MANET - Existing Research Huang et al

Cross-Feature Analysis-learning based method to capture correlation patterns.

L featires - f1,f2,…,fL fi - feature characterizing topology or route activities Solve classification problem - Create Set Ci:{f1,…,fi-1,fi+1,…,fL}, used to identify

temporal correlation between one feature and all the other features.

Ci - very likely to predict in normal circumstances, very unlikely during attack

MANET - Existing Research Huang and Lee

Collaboration with neighbors - broader ID range - more accurate, more information bout attacks

Cluster based detection scheme - FSM - Initial, Clique, Done, LostAd hoc On Demand Distance Vector (AODV) algorithm

EFSA - detect state and transition violations Specification based approach, detects abnormal patterns

and anomalous basic events.

MANET - Existing Research Marti et al

Watchdog and Pathrater to identify and respond to routing misbehaviors.

Each node verifies that his data was forwarded correctly.DSR - dynamic source routing

Rate routes and use more reliable ones.

MANET - Existing Research Tseng et al

Based on AODV - specification based ID Detects run time violations FSM - specify behaviors of AODV Maintain RREP and RREQ messages

MANET - Existing Research Sun et al

Use Markov Chains to characterize normal behaviors Motivated by ZBIDS (zone based) - locally generated

alerts inside the zone Gateway Nodes - broadcast alerts within the zone IDMEF (message exchange format) - presented to

facilitate interoperability of IDS agents.

ID in WSN

Secure Localization GPS not feasible Utilization of beacon packets and beacon nodes Du et al - utilize deployment knowledge to

confirm beacon integrity Liu et al - filter out malicious location references

using Mean square error Compute inconsistency Voting based location estimation

Secure Aggregation

Wagner - robust statistics for resilient aggregation, truncation, trimming

Yang - Secure Hop by Hop Aggregation Protocol (SDAP) Divide and conquer Commit and attest Grubbs’ testButtyan - RANSAC paradigm for resilient aggregation.

maximum likehood estimation

Future Research Directions Extended Kalman Filter Based

Aggregation - light weight solution for estimation of neighbor monitoring features

Integration of Mobility and ID in MANET - consideration to use link change rate as an indication of mobility.

Collaboration of IDM and SMM (sys. Mon.) - to address a problem of detecting abnormal event vs. false alarm. - ask the surrounding nodes to confirm

Questions ???