行動隨意網路 ： 多播路由與入侵偵測 Mobile Ad Hoc Networks: Multicast Routing and Intrusion Detection

1. 行動隨意網路：多播路由與入侵偵測 Mobile Ad Hoc Networks: Multicast Routing and Intrusion Detection Huei-Wen Ferng, Ph.D. Associate Professor Department of Computer Science and Information Engineering (CSIE) Nation Taiwan University of Science and Technology (NTUST) Wireless Communications and Networking Engineering (WCANE) Lab E-mail: hwferng@mail.ntust.edu.tw URL: http://web.ntust.edu.tw/~hwferng/

2. Introduction Part I: Multicast routing Part II: Intrusion detection Conclusion Outline

3. Introduction

4. What is a Mobile Ad Hoc Network? • A Mobile Ad hoc Network (MANET) is an autonomous system of nodes connected by wireless links. • A MANET does not necessarily need support from any existing network infrastructure like an Internet gateway or other fixed stations. • The network’s wireless topology may dynamically change in an unpredictable manner since nodes are free to move. • Information is transmitted in a store-and forward manner using multi-hop routing.

5. Characteristics of Ad Hoc Networks • Dynamic topologies: Network topology may change dynamically as the nodes are free to move. • Bandwidth-constrained, variable capacity links: Realized throughput of wireless communication is less than the radio’s maximum transmission rate. Congestion occurs frequently. • Energy-constrained operation: Some nodes in the ad hoc network may rely on batteries or other exhaustible means for their energy. • Limited physical security: More prone to physical security threats than fixed cable networks.

6. Applications • Battlefields • Crisis-management • Tele-medicine • Virtual navigation

7. Possible Research Issues • Routing • Power management • Security

8. Part I: Multicast Routing A Multicast Routing Algorithm Using Movement Prediction for Mobile Ad Hoc Networks

9. Introduction (1/2) • The multicast communication is a challenging issue in MANETs because of frequent topology changes. • Approaches to update states of neighbors • Soft state approach vs. Hard state approach • Two categories of multicast algorithms • Mesh-based vs. Tree-based • A few routing algorithms in MANETs • Ad-hoc On-demand Distance Vector (AODV) • On Demand Multicast Routing Protocol (ODMRP)

10. Introduction (2/2) • Goal • To propose a tree-based routing algorithm with hard state update called Tree-based Multicast Routing Algorithm with Movement Prediction (TMRAMP) • Features • Less overhead • Prediction-based • Local path search and recovery

11. TMRAMP • The algorithm is composed of three parts • Movement prediction • Routing protocol • Local path search and recovery

12. Movement Prediction • Assume that the moving speeds, coordinates, and directions of two mobile nodes, say node 1 and node 2, are given, then we can calculate the connection time Dtusing the following equation (by Su, Lee, and Gerla) • where

13. Routing Protocol (1/2) • The source first broadcasts a Join Request packet which includes the necessary information. • A node upon receiving a Join Request packet determines if it is a duplicate. • If it is not duplicate and the Hop Count (HP) is still smaller a pre-specified threshold, movement prediction is applied to estimate the link connection time (LCT) between this node and its upstream node. • Set RCT=min( LCT, RCT), where RCT stands for Route Connection Time. • The modified packet is broadcasted to neighbors.

14. Routing Protocol (2/2) • For a group member, it further chooses the path with the largest RCT since multiple Join Request packets may be received from different paths. • Of course, a member routing table is maintained at each node such that Join Reply packets sent by group members are able to return back to the sender along the chosen paths.

15. Local Path Search and Recovery (1/3) • We assume that all necessary information is available and is put into packets so as to make GPS work. • By setting a threshold BeginHandoff, a node canestimate the time when the link will terminate. • When the estimated connection time falls below the threshold, the node will issue the Rejoin packet to its neighbors.

16. Local Path Search and Recovery (2/3) • A neighboring node upon receiving the packet first checks • Duplicate? On-treenode? • If it is not duplicate and an on-tree node, a Reply Rejoin (with estimated connection life time) is sent; otherwise, Rejoin packet is broadcasted to neighbors. • For the disconnected node, a path with the longest life time is chosen as a new path. • If no path can be found, the disconnected node tries repeatedly to contact any on-tree node with scope one hop larger until at least one is found.

17. Local Path Search and Recovery (3/3)

18. Simulation Arrangements

19. Performance Metrics • (Data) packet delivery ratio • Number of control packets transmitted per data packet received -> reflect overhead • Number of data packets received per data packet transmitted -> represent routing efficiency

20. Simulation Results (1/3) TMRAMP outperforms ODMRP by reducing 20% to 60% of overhead.

21. Simulation Results (2/3) TMRAMP performs better by gaining 10% to 15% more routing efficiency than ODMRP.

22. Simulation Results (3/3) TMRAMP outperforms ODMRP by reducing 10% to 30% of overhead. In general, about 40% improvement can be achieved by TMRAMP as compared to ODMRP.

23. Concluding Remarks • TMRAMP is about 20% to 60% higher under various moving speeds and 10% to 30% higher under various group sizes than ODMRP in overhead. • TMRAMP outperforms ODMRP in routing efficiency by 10% to 15% under various moving speeds and up to 40% under various group sizes. • A scheme using tree-based routing is more suitable than that using mesh-base routing when applied to an environment with a large group. • Hence, we suggest TMRAMP to be used in MANETs.

24. Part II: Intrusion Detection Design of a Joint Defense System for Mobile Ad Hoc Networks

25. Introduction (1/2) • In MANETs, AODV is one of important routing protocols; however, no security mechanism has initially been specified for it. • To provide high survivability to a network, an intrusion detection system (IDS) is frequently employed as the second line of defense against attacks to conserve the integrity and confidentiality of the transmitted data and to provide the availability of network resources.

26. Introduction (2/2) • Many mechanisms of IDS have been already proposed for the AODV routing protocol, including • FSM based on transitions of states for known attacks, • SVM based on statistics learningtheory forunknown attacks. • To get advantages of two approaches so that the decision time is shortened and the detection scope is enlarged, a joint defense system which combines both FSM and SVM for MANETs is proposed.

27. Vulnerability of AODV (1/2) • Authentication Attack: • Authentication in MANETs means the process to authenticate a mobile node to make sure it is a legal node or not. • To create a fake IP or MAC is the simplest attack of this category, which is usually called spoofing attack. • Availability Attack: • Availability means to afford network resources and services for legal mobile nodes. • Malicious nodes/attackers may interrupt the network through denial of service (DoS) attack.

28. Vulnerability of AODV (2/2) • Integrity Attack: • Integrity stands for no modification to content during transmission. • False message propagation attack and man-in-the-middle attack are this kind of attack. • Confidentiality and Privacy Attack: • Confidentiality means that the information of a mobile node is only allowed to be accessed by some permitted nodes. • Privacy means that the information pertinent to a mobile node is not disclosed.

29. Design of the Joint Defense IDS System (1/2) • We propose the architecture for our intrusion detection system combing FSM and SVM.

30. Design of the Joint Defense IDS System (2/2) • The reason why we combine FSM and SVM but not two SVMs is that FSM can prevent the system from zero-day attack for known attacks before SVM is ready for detection after the well-trained model is formed. • For each node with such an IDS, it performs the following functions: • data collection • intrusion detection • response

31. w 2 || w || -1 +1 b Support Vector Machine (1/2) • Support vector machine (SVM) is a machine learning method based on statistical learning theory and used to solve pattern classification

32. Φ X F o o Φ( ) Φ( ) x x x Φ( ) o Φ( ) x o Φ( ) o o o o x Φ( ) o x Φ( ) o Φ( ) x x x Φ( ) x Φ( ) Support Vector Machine (2/2) • To those data that cannot be classified through linear hyperplane, we use the non-linear mapping function Φ, to translate the data to a higher dimension feature space

33. Mechanism of Intrusion Detection (1/3) • We design a mechanism so that less tests are required to make a decision but still maintain the accuracy of detection. • The FSM strategy is first applied at the first stage. • If the FSM strategy is not able to assure the node is a normal node, then the SVM is utilized at the second stage. • Categorizing user behavior into three types: • Normal Behavior • Suspicious Behavior • Attack Behavior

34. Mechanism of Intrusion Detection (2/3)

35. Mechanism of Intrusion Detection (3/3)

36. Numerical Experiments and Discussions (1/5) • We use ns-2 ver. 2.27 along with SVM Lightoperated in off-line manner to evaluate the proposed IDS. • The attack nodes are allowed to perform IP/MAC spoofing attack, RREQ flooding attack, and man-in-the-meddle attack. • The table below shows the settings of the simulation environment.

37. Numerical Experiments and Discussions (2/5) • From simulations, detection rates of the system can achieve 94%, 90%, 95% for IP/MAC spoofing attack, man-in-the-middle attack, and RREQ flooding attack, respectively, at the first stage (i.e., using FSM solely). • With the aid of SVM, detection rates for man-in-the-middle attack and RREQ flooding attack can be further improved to 92% and 99%, respectively.

39. Numerical Experiments and Discussions (3/5) • From simulation results, we also know that different attacks should be solved by different strategies. • For example, SVM is not necessary in helping detect IP/MAC spoofing attack. • Our system can shorten the decision time since FSM needs no training time but 1-SVMDM (proposed by Deng et al.) does. • The system overall has a detection rate higher than 95% for RREQ flooding attack.

40. Numerical Experiments and Discussions (4/5) • We use another way to gauge the detection rate per IDS node. This metric can be interpreted as the percentage of attack nodes detected by an IDS node. • From Fig. 9 (Fig. 10), we know that about 58% (53%) of attack nodes can be detected by FSM while FSM plus SVM can reach about 86% (80%). • The results further strengthen that the necessary of a joint defense system because only about half of attack nodes are detected although FSM works, while SVM needs more longer decision time but it can detect more malicious nodes.

41. Attack node IDS node

42. Numerical Experiments and Discussions (5/5)

43. Concluding Remarks • A joint intrusion detection system combing FSM and SVM for MANETs is proposed in this paper. • The system not only has a higher overall detection rate, but also shortens the time of decision making. • Moreover, it obviously enlarges the detection scope than the single-technique, e.g., FSM, SVM, system.

44. Conclusion • Two issues in mobile ad hoc networks are discussed. • A tree-based multicast routing • An intrusion detection system

45. Thank You!