Specification-based Intrusion Detection. Michael May CIS-700 Fall 2004

Similar documents
Ms A.Naveena Electronics and Telematics department, GNITS, Hyderabad, India.

Mobile Ad-hoc and Sensor Networks Lesson 04 Mobile Ad-hoc Network (MANET) Routing Algorithms Part 1

White Paper. Mobile Ad hoc Networking (MANET) with AODV. Revision 1.0

Feature Selection in Intrusion Detection System over Mobile Ad-hoc Network

A New Energy-Aware Routing Protocol for. Improving Path Stability in Ad-hoc Networks

Mobile Ad-hoc Networks (MANET)

Content. 1. Introduction. 2. The Ad-hoc On-Demand Distance Vector Algorithm. 3. Simulation and Results. 4. Future Work. 5.

Analysis of Black-Hole Attack in MANET using AODV Routing Protocol

Keywords : AODV, Reactive Protocol, Analytical Study, Simulation based

Index terms Wireless Mesh networks, Selective forwarding attacks, Route Reply Packet, Fuzzy Logic, Detection threshold.

Expanding Ring Search for Route Discovery in LOADng Routing Protocol

A Graph-based Approach to Compute Multiple Paths in Mobile Ad Hoc Networks

1 Multipath Node-Disjoint Routing with Backup List Based on the AODV Protocol

Security Issues In Mobile Ad hoc Network Routing Protocols

An Efficient Scheme for Detecting Malicious Nodes in Mobile ad Hoc Networks

Simulation of Intrusion Prevention System

[Wagh*, 5(4): April, 2016] ISSN: (I2OR), Publication Impact Factor: 3.785

Emergence of Ad-hoc On-demand Distance Vector Protocol (AODV) as an Efficient On-demand Routing Protocol (EORP) Using Bayesian Approach

CAODV Free Blackhole Attack in Ad Hoc Networks

[Nitnaware *, 5(11): November 2018] ISSN DOI /zenodo Impact Factor

Secure Routing and Transmission Protocols for Ad Hoc Networks

A Comparative study of On-Demand Data Delivery with Tables Driven and On-Demand Protocols for Mobile Ad-Hoc Network

LECTURE 9. Ad hoc Networks and Routing

Security in Mobile Ad-hoc Networks. Wormhole Attacks

Experiment and Evaluation of a Mobile Ad Hoc Network with AODV Routing Protocol

Impact of Node Velocity and Density on Probabilistic Flooding and its Effectiveness in MANET

SECURITY ISSUE ON AODV ROUTING PROTOCOL SUFFERING FROM BLACKHOLE ATTACK

Wireless Network Security Spring 2016

Lecture 13: Routing in multihop wireless networks. Mythili Vutukuru CS 653 Spring 2014 March 3, Monday

An Efficient Routing Approach and Improvement Of AODV Protocol In Mobile Ad-Hoc Networks

Performance Analysis of AODV Routing Protocol with and without Malicious Attack in Mobile Adhoc Networks

A COMPARISON OF REACTIVE ROUTING PROTOCOLS DSR, AODV AND TORA IN MANET

QoS Routing By Ad-Hoc on Demand Vector Routing Protocol for MANET

Defending MANET against Blackhole Attackusing Modified AODV

Behaviour of Routing Protocols of Mobile Adhoc Netwok with Increasing Number of Groups using Group Mobility Model

Keywords Wormhole Attack, AODV, Multipath Algorithm, On Demand Routing Protocols, Route Request, Route Reply, Mobile Ad-hoc Network,

Performance Analysis of Wireless Mobile ad Hoc Network with Varying Transmission Power

Performance Evaluation of Active Route Time-Out parameter in Ad-hoc On Demand Distance Vector (AODV)

Mitigating Malicious Control Packet Floods in Ad Hoc Networks

Performance Analysis of MANET Routing Protocols OLSR and AODV

CS551 Ad-hoc Routing

IJRIM Volume 1, Issue 4 (August, 2011) (ISSN ) A SURVEY ON BEHAVIOUR OF BLACKHOLE IN MANETS ABSTRACT

Gateway Forwarding Strategies in Ad hoc Networks

Quiz 5 Answers. CS 441 Spring 2017

Security Enhancement of AODV Protocol for Mobile Ad hoc Network

Computation of Multiple Node Disjoint Paths

Secure Enhanced Authenticated Routing Protocol for Mobile Ad Hoc Networks

A COMPARISON OF IMPROVED AODV ROUTING PROTOCOL BASED ON IEEE AND IEEE

Varying Overhead Ad Hoc on Demand Vector Routing in Highly Mobile Ad Hoc Network

Dynamic Profile Based Technique to Detect Flooding Attack in MANET

CMPE 257: Wireless and Mobile Networking

Specification-Based Intrusion Detection for Mobile Ad Hoc Networks

Throughput Analysis of Many to One Multihop Wireless Mesh Ad hoc Network

Impact of Hello Interval on Performance of AODV Protocol

Gateway Forwarding Strategies for Ad hoc Networks

An Extensible Environment for Evaluating Secure MANET

Performance Analysis of AODV using HTTP traffic under Black Hole Attack in MANET

Performance Evaluation of Routing Protocols in Wireless Mesh Networks. Motlhame Edwin Sejake, Zenzo Polite Ncube and Naison Gasela

ENERGY-AWARE FOR DH-AODV ROUTING PROTOCOL IN WIRELESS MESH NETWORK

Mitigating Superfluous Flooding of Control Packets MANET

Routing in Variable Topology Networks

PERFORMANCE EVALUATION OF DSR USING A NOVEL APPROACH

Security of Mobile Ad Hoc and Wireless Sensor Networks

A Location-based Directional Route Discovery (LDRD) Protocol in Mobile Ad-hoc Networks

Distributed Systems. Ad hoc and sensor networks. Rik Sarkar. University of Edinburgh Fall 2018

Appointed BrOadcast (ABO): Reducing Routing Overhead in. IEEE Mobile Ad Hoc Networks

Routing Protocols in MANETs

MULTICASTING IN MANET USING THE BEST EFFECTIVE PROTOCOLS

Identifying Black hole attack using Divide and Conquer Algorithm in Mobile Adhoc Network

A SURVEY OF VARIOUS ROUTING PROBLEMS TO VARIOUS ATTACKS IN MOBILE AD HOC NETWORKS IN THE TRANSACTIONS

Wireless Networking & Mobile Computing

CHAPTER 4. The main aim of this chapter is to discuss the simulation procedure followed in

A Performance Comparison of MDSDV with AODV and DSDV Routing Protocols

Performance Analysis of Disable IP Broadcast Technique for Prevention of Flooding-Based DDoS Attack in MANET

Implementation of AODV Protocol and Detection of Malicious Nodes in MANETs

3. Evaluation of Selected Tree and Mesh based Routing Protocols

Gateway Discovery Approaches Implementation and Performance Analysis in the Integrated Mobile Ad Hoc Network (MANET)-Internet Scenario

International Journal of Advance Engineering and Research Development

Implementation: Detection of Blackhole Mechanism on MANET

Performance Evaluation of Two Reactive and Proactive Mobile Ad Hoc Routing Protocols

Performance Analysis of Aodv Protocol under Black Hole Attack

Mobile Communications. Ad-hoc and Mesh Networks

ZigBee Routing Algorithm Based on Energy Optimization

Cooperative Watchdog in Wireless Ad-Hoc Networks Norihiro SOTA and Hiroaki HIGAKI *

Strongly Anonymous Communications in Mobile Ad Hoc Networks

Zone-based Clustering for Intrusion Detection Architecture in Ad-Hoc Networks

Configuring IP Services

Performance Comparison of AODV, DSR, DSDV and OLSR MANET Routing Protocols

Comparing the Impact of Black Hole and Gray Hole Attacks in Mobile Adhoc Networks

A Performance Comparison of Multi-Hop Wireless Ad Hoc Network Routing Protocols

UCS-805 MOBILE COMPUTING Jan-May,2011 TOPIC 8. ALAK ROY. Assistant Professor Dept. of CSE NIT Agartala.

Wireless Network Security Spring 2015

Review on Packet Forwarding using AOMDV and LEACH Algorithm for Wireless Networks

ANewRoutingProtocolinAdHocNetworks with Unidirectional Links

CHAPTER 5 AN AODV-BASED CLUSTERING APPROACH FOR EFFICIENT ROUTING

Packet Estimation with CBDS Approach to secure MANET

Saving Wireless Networks By Detecting, And Designing Efficient From Masquerade Attacks

A Location-based Predictive Route Caching Scheme for Pure Reactive Zone-based Routing Protocol in Mobile Ad Hoc Networks Abstract Introduction

A Scheme of Multi-path Adaptive Load Balancing in MANETs

Secure and Efficient Routing Mechanism in Mobile Ad-Hoc Networks

Transcription:

Specification-based Intrusion Detection Michael May CIS-700 Fall 2004

Overview Mobile ad hoc networking (MANET) new area of protocols Some old networking solutions work (TCP/IP) but things change with open medium of wireless Goal: Define a system specification (model) and detect when behavior differs from expected 2

Two detection approaches Specification Hand made model of states and transitions Detect when A node moves to an illegal state A node makes an illegal transition (input missing) A node transitions without proper output Messages sent don t follow expected model No false positives Statistical Can find attacks where state is not violated Flooding Dropping Partitioning Train on normal runs and attack runs Run model over test data and detect attacks Can detect new attacks 3

Two detection approaches Specification Can t detect attacks that are not violations in the specification Only as good as the model used Can t catch attacks at a level of the system not in the model Statistical Can t find attacks that look like normal behavior Subtle attacks have higher false positives Use both to achieve greatest effectiveness 4

MANET routing process Route Request (Src, Dst) A B C D Route Reply (Dst, Src) 5

Basic (Routing) Events Identify the smallest transactions that occur MANET routing Smaller atomic actions occur, but these must be done as transactions 1. Source node sends Route Request 2. Nodes on the path receive and forward 3. Replying node receives Request and sends Route Reply 4. Nodes on the path receive and forward 5. Source node receives Reply and establishes route Anomalous basic event is one that doesn t follow the system specification 6

Taxonomy of anomalous basic events Bold indicates intrusion detection should work Asterisk indicates cryptography can work too Could encrypt routing table edits, but it s expensive 7

Case Study: Ad hoc On-Demand Distance Vector (AODV) Routing Routing protocol for MANET using source and destination names and sequence numbers Nodes keep local sequence number for all messages Routes kept in routing table only when active Node discovers a route when it sends a Route Request (RREQ) and receives a Route Reply (RREP) Nodes on the path watch the RREQ and RREP messages coming in and discover neighbors and paths 8

Two AODV Specification based solutions Node oriented Huang and Lee 04 Message oriented Tseng, et al 03 9

An EFSA for AODV: Node Based Each node maintains an EFSA with the status of every other node in the system Removes non-determinism by letting multiple EFSAs process each event Delete old or unused EFSAs as routes to a node expire Small number of states (8) Transitions generalized and can have both input and output δ = {S old S new, input cond output action } Events that have no input (i.e. timeouts) are treated as inputs State variable assignment, packet delivery, tasks are all outputs 10

11

Designing an IDS for AODV Intrusion detection system (IDS) will check two ways Specification Violations Statistical Deviations 12

Detecting Specification Violations Invalid State Violation Changes in sequence numbers or hop counts in the routing tables Incorrect Transition Violation Add Route or Routing Table Entries (without going through correct state) Delete Route or Routing Table Entries Fabrication of routing messages Unexpected Action Violation Interruption of routing or data messages 13

Detecting Statistical Deviations Attacks that don t lead to specification violations Flooding data packets Flooding routing messages Modification of routing messages Restricted to sequence number modification Rushing of routing messages Discovery fails due to Route Request retries running out or timeout Frequency of transitioning from Route Request to Route Reply message 14

Testing IDS system on each node watches packets in and out and routing table state Samples every five seconds and store EFSA state and variable state 50 nodes wandering in 1 km 2 area for 100,000 seconds (= 27.8 hours) Ten attack runs and two normal runs 15

Results Specification violations Data drop Route drop Add route Delete route Change sequence number, hop count Active reply, False reply Route invasion, Route loop Partition No false positives,100% detection 16

Statistical Deviations Anomalous basic event Flooding of data packets Flooding routing messages Modification of routing messages Rushing of routing messages Detection Rate False Alarm Rate 92±3% 5±1% 91±3% 9±4% 79±10% 32±8% 88±4% 14±2% 17

Discussion Detecting Flooding Traffic over 20 packets per second Modification of Routing Messages Learned by watching for sequence number jumps over a threshold Doesn t work very well since randomly generated sequence number attack isn t always noticed Rushing of Routing Messages Tries to find when node quits waiting early Hard to find because it happens normally when route discovery process terminated Easier to find rushing in returning route received messages because one transition (T11) happens more frequently 18

Another way to do it: Message Oriented Use a network monitor (NM) to watch all messages in a network area NMs keep a tree of all Route Request and Route Reply messages Correlate messages by source, destination, and request ID number NMs share information with each other and nodes If sequence numbers or hop counts change between messages, register attack 19

EFSA for normal behavior 20

EFSA for anomalous behavior 21

Attacks detected Forging sequence numbers, hop count Man in the middle attack NMs will notice declared source doesn t match true source Tunneling attack Route declared is not the one really taken, NMs will notice forwarding is forged 22

Comparison and Discussion Node oriented specification catches routing table attacks Node oriented requires close analysis of protocol to build complex state diagram Once built it can be used for statistical deviation attacks too Message oriented gives a global view of messages sent Can catch network topology attacks better Message oriented could be used for flooding attacks, message modification attacks, and rushing as well or better than node oriented 23

Conclusion Intrusion detection by comparing actual behavior with specification Choice of specification (i.e. node/message orientation) determines what can be detected Not all attacks are specification attacks, so statistical deviation analysis is needed too 24

References AODV: RFC3561 http://www.ietf.org/rfc/rfc3561.txt Huang, Yi-an and Wenke Lee. Attack Analysis and Detection for Ad Hoc Routing Protocols., In Proceedings of the 7th International Symposium on Recent Advances in Intrusion Detection (RAID'04), French Riviera, France. September 2004. Tseng, Chin-Yang, et al. A Specification-based Intrusion Detection System for AODV., In Proceedings of the 1 st ACM Workshop on Security of Ad hoc and Sensor Networks (SASN 03). Fairfax, VA. 2003. Ning, Peng and Kun Sun. How to Misuse AODV: A Case Study of Insider Attacks Against Mobile Ad hoc Routing Protocols. In Proceedings of 2003 IEEE Workshop on Information Assurance. West Point, NY. 2003. 25

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback