Protecting Mobile Ad Hoc Network Routing Infrastructure with Intrusion Detection Systems

Yi-an Huang and Wenke LeeCollege of ComputingGeorgia Institute of Technology

Outline

Motivation and Attack Analysis on Mobile Ad Hoc Networks

IDS Design Intrusion Detection

Architecture: Node-based vs. cluster-based Approach: Specification-based vs. statistics-based

Intrusion Response: Traceback and Filtering Future Work

Better machine learning approaches Verification of protocol state machine and distributed

protocols

Mobile Ad Hoc Networks (MANET)

Concepts Mobile hosts with no fixed infrastructure Connected through wireless links No centralized control Multi-hop routing Great potential for a number of new self-managing applications

Characteristics Inadequate physical protection

Node compromise may be more common Mobile routing topology No single traffic concentration point

Gateways, access points, etc. Resource-constrained capability Existing security solutions designed for wired networks may have problems

Motivation Architecture Case Study

Routing Attack Example: Sinkhole

Motivation Architecture Case Study

General Assumption

Reliable Communication ChannelBi-directionalFree from loss/congestion

Adversary ModelEvery node in MANET may be compromised,

and with equal probabilityWe focus on attacks on routing protocols

Motivation Architecture Case Study

Attack Analysis in MANET Routing

Traditional attack analysis is based on the knowledge of known incidents. Therefore, it is hard to apply traditional attack analysis in MANET since MANET is a relatively new environment

Our proposed approach: perform taxonomy study on anomalous basic events Decompose routing behavior into basic events

The smallest set of casually-related operations in a single node Anomalous basic events are basic events that do not follow the normal

protocol behavior can be used to define a set of basic attacks conducted on a single node more complicated attacks can be modeled by combinations of anomalous basic

events Taxonomy of anomalous basic events

on the security goals that may be compromised: confidentiality, integrity and availability; and

on the routing elements that may be targeted by attackers: routing and data messages, routing table entries

Motivation Architecture Case Study

Taxonomy of Anomalous Basic Events

Compromise on Security Goals

Events by Targets

Routing Messages Data Packets Routing Table Entries

Confidentiality Location Disclosure

Data Disclosure N/A

Integrity Add Fabrication Fabrication Add Route

Delete Interruption Interruption Delete Route

Change Modification Modification Change Route CostRushing

Availability Flooding Flooding Routing Table Overflow

Bold face represents what an IDS agent is currently capable of.

Motivation Architecture Case Study

Comparison of Security Solutions

Prevention techniques Provide authenticated use and data integrity Con: susceptible to insider attacks, software bugs, etc.

Reputation systems An alternative concept: selfishness is natural Incentives are provided to encourage forwarding Con: only address limited security problem

Intrusion Detection and Response Capture potential misbehavior in real-time (Detection) Identify on attack sources (Traceback) Respond promptly to recover from or minimize damage

(Filtering)

Motivation Architecture Case Study

IDS Architecture

Traceback

Node-BasedDetectionFeature

CollectionFiltering

Cooperative Detection

SecureCommunication

IDS Agent

Intrusion Detection Intrusion Response

Motivation Architecture Case Study

Feature Collection Based on Routing Protocol Specification

Motivation Previously, we manually choose features based on domain

knowledge and heuristics A more systematic approach is preferred

Solution: enumerate possible features derived from a protocol specification described in an extended state machine An Extended Finite State Automaton (EFSA) is a finite-state

machine where transitions and states can carry a finite set of arguments. EFSAs can be derived from protocol implementation, RFCs or other specifications

Define behavior on the routing protocol level Issue: how do we verify the correctness of EFSA?

Case study: AODV (Ad hoc On-demand Distance Vector) Routing Protocol (Perkins’03)

Feature Collection Intrusion Detection Intrusion Response

Example

Semantic Violation: Interruption of Data Packets Statistical Violation: Flooding of Data Packets

Valid[ob, oSeq, nHops, nxt] (T10)DATA?[Src, ob] ->if (ob!=cur) DATA![Src, ob, nxt]

Feature Collection Intrusion Detection Intrusion Response

Two Detection Approaches

Target different anomalous basic events Specification-based detection

Detect violations to the EFSA specification High accuracy assuming that the specification

correctly models all normal behavior in semantics Statistics-based detection

Many attacks do not violate the specification directly The statistics-based approach, equipped with

machine learning tools, can detect abnormal statistical patterns

Statistical features are extracted from states and transitions of EFSA.

Misuse detection vs. anomaly detection

Feature Collection Intrusion Detection Intrusion Response

Anomalous Basic Events Revisited

Compromise on Security Goals

Events by Targets

Routing Messages Data Packets Routing Table Entries

Confidentiality Location Disclosure

Data Disclosure N/A

Integrity Add Fabrication Fabrication Add Route

Delete Interruption Interruption Delete Route

Change Modification Modification Change Route CostRushing

Availability Flooding Flooding Routing Table Overflow

Underlined categories are covered by the specification-based approach

Feature Collection Intrusion Detection Intrusion Response

Feature Selection

Learning-based approaches do not work well with a large number of features

A filter approach based on labeled data Start with the empty set Add a new feature fi

that maximizes the relative entropy of two distrbution functions P(C|G) and P(C|G{f})

Until the relative entropy is insignificant Efficient in practice

Gi+1= Gi{f}

Go= {}

x xq

xpxpqpD

)(

)(log)()||(

Feature Collection Intrusion Detection Intrusion Response

Node-Based Detection vs. Cooperative Detection

Node-based detection IDS agents operate on every MANET node The only reliable features are those collected by the local feature collection

module Most secure and reliable. But may suffer from

ineffectiveness due to inconclusive evidence inefficiency due to redundant feature computation

Cluster-based detection Group nodes into clusters. Each cluster has certain number of special

nodes, or clusterheads Only a clusterhead runs the IDS agent to monitor for the whole

neighborhood Limitation: best-effort service

Design Criteria Fairness: Don’t elect me, too much work! Security: Control the clusterheads, control everything! Classical cluster protocols do not satisfy these requirements

min ID max degree

Feature Collection Intrusion Detection Intrusion Response

Cluster Formation Protocol

Start with clique computation Each clique member chooses a random input ri and

broadcasts the input Each member independently computes the initial seed by

XOR-ing all inputs

XOR function guarantees the output to be random as long as at least one input is truly random

In fact, inputs are broadcast through a two-round protocol to avoid a delayed-response attack

A sequence of m clusterheads is generated using PRNG A consistency protocol ensures that the same clusterheads

are elected through role acknowledgement Clustheads are re-elected after a certain timeout

H(r1,r2,…rn)= r⊕ i

Feature Collection Intrusion Detection Intrusion Response

Discussion

Fairness Concern Clusterhead Computation: short-term fairness Periodical re-election: long-term fairness

Security Concern Defend against clusterhead compromise

Short-term and long-term fairness Mutual monitoring

Defend against attacks on the consistency protocol A node can refuse to participate until it is elected A node can refuse to be a clusterhead but join the same (or another)

cluster later Detecting these attacks may be complicated due to node mobility Improved version

A retreat counter is recorded on every member for every other members Meeting certain threshold is considered an violation Retreat counter is reset periodically

Feature Collection Intrusion Detection Intrusion Response

Cluster-Based Detection Models

Similar approaches can be applied Specification-based Statistics-based

Feature collection A randomly chosen cluster member computes the

necessary features at every sampling period Reduce redundant feature computation Communication overhead may be further reduced by having

“common” features computed directly by the clusterhead Clusterhead-controlled features

Capable of developing new detection rules that involve features from multiple nodes

Feature Collection Intrusion Detection Intrusion Response

IP Traceback

What about IP spoofing? IDS detects attacks based on behavior, but taking proper

countermeasures would be hard without knowing the true identities of attack sources

A proper authentication system in place may solve the problem, but it is not universally available

Traditional traceback solutions are unsuitable Hop-by-hop tracing requires collaborative routers and

knowledge about global topology Packet marking and ICMP traceback require static

routes

Feature Collection Intrusion Detection Intrusion Response

Hotspot-Based Traceback Protocol

Fully distributed, working in mobile topology and with arbitrary number of compromised nodes

Based on the hash-based traceback (Snoeren’01) Use Bloom Filters to store the packet digest whenever a

packet was forwarded Extend from the original Bloom Filter

Store TTL along with each stored packet Reconstruct original attack path based on replies

with the additional information Resilient from malicious routers and inaccurate TTL

Detect “hotspots” where adversaries are contained

Feature Collection Intrusion Detection Intrusion Response

Packet Filtering

Currently focus on filtering a single attack flow End-host filtering

Stop selective flows based on source addresses Effective only when flows are not spoofed

Fast filtering Rely on Hotspot-based Traceback Filter on intermediate routers in the attack path Optimize with linear programming

Maximize attack packet dropping rate Minimize normal packet dropping rate

Feature Collection Intrusion Detection Intrusion Response

Conclusions & Future Work

Intrusion detection and response is a critical security component in MANET

We propose a new MANET IDS architecture Working under the specific assumptions based on the

MANET characteristics Highly effective in detecting well-known routing attacks

Future work Improve feature selection approaches Verification of

EFSA specification Cluster Formation Protocol Hotspot-Based Traceback Protocol