1 / 76

Intrusion detection techniques in mobile ad hoc and wireless sensor networks

Intrusion detection techniques in mobile ad hoc and wireless sensor networks. BO SUN, LAWRENCE OSBORNE, YANG XIAO, SGHAIER GUIZANI. Wireless Communications, IEEE Volume 14,  Issue 5,  October 2007. Presented by Yu-Shun Wang( 王猷順 ). Author.

fordon
Télécharger la présentation

Intrusion detection techniques in mobile ad hoc and wireless sensor networks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Intrusion detection techniques in mobile ad hoc and wireless sensor networks BO SUN, LAWRENCE OSBORNE, YANG XIAO, SGHAIER GUIZANI Wireless Communications, IEEE Volume 14,  Issue 5,  October 2007 Presented by Yu-Shun Wang(王猷順) OP LAB, IM NTU

  2. Author • BO SUN [M] received his Ph.D. degree in computer science from Texas A&M University, College Station, in 2004. • He is now an assistant professor in the Department of Computer Science at Lamar University. • His research interests include the security issues of wireless ad hoc networks, wireless sensor networks, cellular mobile networks, and other communications systems. OP LAB, IM NTU

  3. Author • LAWRENCE OSBORNE received a Ph.D. in computer science from the University of Missouri Rolla in 1989. • He is now a professor of computer science at Lamar University. • His research interests include algorithms for routing and localization in MANETs and wireless sensor networks, databases in sensor networks, satellite networks, and distributed systems. OP LAB, IM NTU

  4. Author • YANG XIAO [SM] is currently with the Department of Computer Science at the University of Alabama. • He was a voting member of the IEEE 802.11 Working Group from 2001 to 2004. • His research areas are security, telemedicine, and wireless networks. • He currently serves as Editor-in-Chief for International Journal of Security and Networks, International Journal of Sensor Networks, and International Journal of Telemedicine and Applications. OP LAB, IM NTU

  5. Author • SGHAIER GUIZANI obtained aPh.D. in telecommunication from the University of QuebecTrois-Rivières, Canada. • He is currently working as an assistantprofessor at Qatar University in the Mathematics and ComputerDepartment. • His research interests are in the areas ofoptical fiber communication systems, radio over fiber, wirelessnetwork architectures, and wireless communication. OP LAB, IM NTU

  6. Agenda • Introduction • Intrusion Detection Techniques • Intrusion Detection in a MANET • Attack Models • Existing Research • Intrusion Detection in a WSN • Challenges • Secure Localization in WSNs • Secure Aggregation in WSNs • Extended Kalman Filter-Based Secure Aggregation for a WSN • Conclusion OP LAB, IM NTU

  7. Agenda • Introduction • Intrusion Detection Techniques • Intrusion Detection in a MANET • Attack Models • Existing Research • Intrusion Detection in a WSN • Challenges • Secure Localization in WSNs • Secure Aggregation in WSNs • Extended Kalman Filter-Based Secure Aggregation for a WSN • Conclusion OP LAB, IM NTU

  8. Introduction OP LAB, IM NTU

  9. Introduction OP LAB, IM NTU

  10. Introduction • Reasons make MANETs and WSNs more vulnerable to malicious attacks • For MANET • The features of an open medium • Dynamic topology • The absence of a central management point • For WSN • the lack of physical security combined with unattended operations make sensor nodes prone to a high risk of being captured and compromised. OP LAB, IM NTU

  11. Introduction • So far, research to find security solutions for MANETs and WSNs has originated from the prevention point of view. • However, they cannot totally eliminate intrusions. • Therefore, intrusion detection systems (IDSs), serving as the second line of defense, are indispensable in providing a highly-secured information system. OP LAB, IM NTU

  12. Agenda • Introduction • Intrusion Detection Techniques • Intrusion Detection in a MANET • Attack Models • Existing Research • Intrusion Detection in a WSN • Challenges • Secure Localization in WSNs • Secure Aggregation in WSNs • Extended Kalman Filter-Based Secure Aggregation for a WSN • Conclusion OP LAB, IM NTU

  13. Intrusion Detection Techniques • Misuse-based detection • encodes known attack signatures and system vulnerabilities. • If finds a match between current activities and signatures, an alarm is generated. • But it is not effective to detect novel attacks. OP LAB, IM NTU

  14. Intrusion Detection Techniques • Anomaly-based detection • creates normal profiles of system states or user behaviors and compares them with current activities. • If a significant deviation is observed, the IDS raises an alarm. • Anomaly detection can detect unknown attacks. • However, normal profiles are usually very difficult to build. OP LAB, IM NTU

  15. Intrusion Detection Techniques • Specification-based detection • combine the advantages of misuse detection and anomaly detection. • using manually developed specifications to characterize legitimate system behaviors. • However, the development of detailed specifications can be time-consuming. OP LAB, IM NTU

  16. Agenda • Introduction • Intrusion Detection Techniques • Intrusion Detection in a MANET • Attack Models • Existing Research • Intrusion Detection in a WSN • Challenges • Secure Localization in WSNs • Secure Aggregation in WSNs • Extended Kalman Filter-Based Secure Aggregation for a WSN • Conclusion OP LAB, IM NTU

  17. Intrusion Detection in a MANET • Attack Model • Routing Logic Compromise • typical attack scenarios is modification of various fields in routing control packets. • Traffic Distortion • attacks such as packet dropping, packet corruption, data flooding. • combination of attacks mentioned previously. OP LAB, IM NTU

  18. Intrusion Detection in a MANET • Attack model OP LAB, IM NTU

  19. Agenda • Introduction • Intrusion Detection Techniques • Intrusion Detection in a MANET • Attack Models • Existing Research • Intrusion Detection in a WSN • Challenges • Secure Localization in WSNs • Secure Aggregation in WSNs • Extended Kalman Filter-Based Secure Aggregation for a WSN • Conclusion OP LAB, IM NTU

  20. Intrusion Detection in a MANET • Existing Research • feature selection • through learning-based method to utilize cross-feature analysis to capture inter-feature correlation patterns. • pattern classification • based on an identified feature set with decision-tree equivalent classifier for rule induction, system can classify observed activities as normal or intrusive. OP LAB, IM NTU

  21. Intrusion Detection in a MANET • Existing Research(cont.) • watchdog and pathrater E OP LAB, IM NTU

  22. Intrusion Detection in a MANET • Existing Research(cont.) • zone-based intrusion detection system (ZBIDS) OP LAB, IM NTU

  23. Agenda • Introduction • Intrusion Detection Techniques • Intrusion Detection in a MANET • Attack Models • Existing Research • Intrusion Detection in a WSN • Challenges • Secure Localization in WSNs • Secure Aggregation in WSNs • Extended Kalman Filter-Based Secure Aggregation for a WSN • Conclusion OP LAB, IM NTU

  24. Intrusion Detection in a WSN • Challenges • Similar to security research in a MANET, many approaches in a WSN have been proposed. • But due to many features, prevention-basedschemes are inadequate after sensor nodes have been compromised. OP LAB, IM NTU

  25. Intrusion Detection in a WSN • Challenges(cont.) • A WSN has a limited power supply, thus requiring energy-efficient protocols and applications to maximize the lifetime of sensor networks. • Besides, Sensor nodes are prone to failure. This results in frequent network topology changes. • Also, a WSN usually is densely deployed, causing serious radio channel contention and scalability problems. OP LAB, IM NTU

  26. Agenda • Introduction • Intrusion Detection Techniques • Intrusion Detection in a MANET • Attack Models • Existing Research • Intrusion Detection in a WSN • Challenges • Secure Localization in WSNs • Secure Aggregation in WSNs • Extended Kalman Filter-Based Secure Aggregation for a WSN • Conclusion OP LAB, IM NTU

  27. Intrusion Detection in a WSN • Secure Localization • Due to cost considerations, it is still not practical to equip every sensor node with a global positioning system (GPS) receiver. • To utilize localization protocols, some special nodes, called beacon nodes, often are used. • However, beacon nodes may be compromised, thus providing incorrect information to non-beacon nodes. OP LAB, IM NTU

  28. Intrusion Detection in a WSN • Secure Localization(cont.) • Utilizing deployment knowledge of a WSN and based on the fact that probability distribution functions of sensor locations usually can be modeled prior to deployment. • [11] W. Du, L. Fang, and P. Ning, “LAD: Localization Anomaly Detection for Wireless Sensor Networks” propose that each non-beacon node can efficiently detect location anomalies. OP LAB, IM NTU

  29. LAD: Localization Anomaly Detection for Wireless Sensor Networks • Assume that sensor nodes are static once they are deployed. • define the deployment point of a sensor as the point location where the sensor is to be deployed. • also define the resident point of a sensor as the point location where the sensor finally resides. OP LAB, IM NTU

  30. LAD: Localization Anomaly Detection for Wireless Sensor Networks OP LAB, IM NTU

  31. LAD: Localization Anomaly Detection for Wireless Sensor Networks • After deployment, each node can estimate its neighbor based on deployment knowledge. • Then, compared the estimate result with its actual observation. • If the inconsistent rate is higher than a threshold, we conclude there is abnormal. OP LAB, IM NTU

  32. LAD: Localization Anomaly Detection for Wireless Sensor Networks • Process overview Estimation based on deployment knowledge inconsistent rate > threshold? After Deployment There exists anomaly Yes No No anomaly Actual observation OP LAB, IM NTU

  33. LAD: Localization Anomaly Detection for Wireless Sensor Networks • Three metrics for anomaly detection • The difference metric • The add-all metric • The probability metric • Among these, the Diffmetric performs the best among the three metrics. OP LAB, IM NTU

  34. LAD: Localization Anomaly Detection for Wireless Sensor Networks • The difference metric group i 的node總數 屬於group i 的node,其成為位於Le上node之鄰近點的機率 Le之座標位置 Group i 之deployment point Node之actual observation OP LAB, IM NTU

  35. LAD: Localization Anomaly Detection for Wireless Sensor Networks • Obtaining the Thresholds Using Training • we are targeting at a specific localization application in sensor networks. • Thus, it is likely to observe most (if not all) of the normal behaviors during the training process. OP LAB, IM NTU

  36. LAD: Localization Anomaly Detection for Wireless Sensor Networks OP LAB, IM NTU

  37. Agenda • Introduction • Intrusion Detection Techniques • Intrusion Detection in a MANET • Attack Models • Existing Research • Intrusion Detection in a WSN • Challenges • Secure Localization in WSNs • Secure Aggregation in WSNs • Extended Kalman Filter-Based Secure Aggregation for a WSN • Conclusion OP LAB, IM NTU

  38. Intrusion Detection in a WSN • Secure Aggregation in WSNs • Aggregation has become one of the required operations for a WSN to save energy. • Aggregation function maybe: average, sum, maximum, minimum, count, etc. • If one nodeis compromised, it can send false reports to other nodes. • High-level nodes (i.e., nodes closer to the root) get higher influence to aggregation result than low-level nodes. OP LAB, IM NTU

  39. Intrusion Detection in a WSN • Secure Aggregation in WSNs(cont.) OP LAB, IM NTU

  40. Intrusion Detection in a WSN • Secure Aggregation in WSNs(cont.) • Using robust statistics for resilient aggregation. • Through truncation and trimming techniques to help improve the resilience of aggregation functions. • RANSAC (random sample consensus) • is an outlier elimination technique. • uses maximum likelihoodestimation (MLE) as a estimating method. • Outlier measurements can be filtered out, even if a large quantity of sensor nodes is compromised. • But what if there indeedoccur some anomaly? OP LAB, IM NTU

  41. Intrusion Detection in a WSN • Secure Aggregation in WSNs(cont.) • Secure Hop-by-Hop Data Aggregation Protocol • [14] Y. Yang et al., “SDAP: A Secure Hop-by- Hop Data Aggregation Protocol for Sensor Networks” ACM Mobihoc ’06, Florence, Italy, 2006, pp. 356–67. • Different from approaches mentioned before, this one is not simply eliminate those ”outlier”. • In such way, it can prevent from removing “real” data. OP LAB, IM NTU

  42. SDAP: A Secure Hop-by- Hop Data Aggregation Protocol for Sensor Networks • Assume the BS cannot be compromised. • Also, it has a secure mechanism to authenticate its broadcast messages to all the nodes. • Assume every node can verify the received broadcast messages, and has an individual secret key shared with the BS. • Further, there is a unique pairwise key shared between each pair of neighboring nodes. OP LAB, IM NTU

  43. SDAP: A Secure Hop-by- Hop Data Aggregation Protocol for Sensor Networks • we do not consider the attack where a compromised node forges a false reading of its own as a value changing attack. • the impact of such an attack is usually limited. • such a compromised node is very much like a faulty sensor node. • In this case, we have to rely on an outlier detection algorithm or the content-basedattestation scheme. OP LAB, IM NTU

  44. SDAP: A Secure Hop-by- Hop Data Aggregation Protocol for Sensor Networks • Process overview Exist suspicious value? no Tree Construction Node grouping & data aggregation Process end yes Any abnormal node detect? Start verification Trust the value no yes Discard the suspicious value OP LAB, IM NTU

  45. SDAP: A Secure Hop-by- Hop Data Aggregation Protocol for Sensor Networks • Tree Construction • Initially, the root broadcasts a tree construction message includes its own id and its depth to be 0. • After receiving a broadcast message, each node plus the depth value with one and set its parent to be the broadcasting node. • This process continues until all nodes have received this message. OP LAB, IM NTU

  46. SDAP: A Secure Hop-by- Hop Data Aggregation Protocol for Sensor Networks • Tree Construction(cont.) • After constructing the aggregation tree, the BS can disseminate the aggregation query message through this tree. • A random number(Sg)which is added to the query, is used for the probabilistic grouping in the next phase. OP LAB, IM NTU

  47. SDAP: A Secure Hop-by- Hop Data Aggregation Protocol for Sensor Networks • Node grouping & data aggregation • In this phase, SDAP randomly groups all the nodes into multiple logical groups and performs aggregation in each group. • Grouping is conducted through the selection of leader node for each group. • Leader nodes are selected based on probabilisticmethod with the count values and the grouping seed Sgreceived in the last phase. OP LAB, IM NTU

  48. SDAP: A Secure Hop-by- Hop Data Aggregation Protocol for Sensor Networks • Node grouping & data aggregation(cont.) • With the random number(Sg), the BS can rotate the leaders among nodes instead of fixing their roles. • Once a node becomes the leader, all the nodes in its subtree that have not been grouped yet become members of its group. • the resulted group sizes are roughly even with a small deviation since the grouping function is uniformly distributed. OP LAB, IM NTU

  49. SDAP: A Secure Hop-by- Hop Data Aggregation Protocol for Sensor Networks • Node grouping & data aggregation(cont.) OP LAB, IM NTU

  50. SDAP: A Secure Hop-by- Hop Data Aggregation Protocol for Sensor Networks • Node grouping & data aggregation(cont.) • During aggregation, each aggregation packet contains the sender’s id, an aggregated data value, and a count value. • In addition, a flag field is contained in each packet to show whether the aggregate needs to be aggregatedfurther or not. • Three types of aggregation is performed • Leaf node aggregation • Intermediate node aggregation • Leader node aggregation OP LAB, IM NTU

More Related