Intrusion Detection Techniques

in Mobile Ad Hoc and Wireless

Sensor Networks - IEEE October
2007
CMSC 681 - Advanced Computer
Networks
Oleg Aulov

MANET and WSN

No wires, Limited battery life, Limited memory
and processing capability
No base stations, Mobile nodes, Nodes relay data
(act as routers)
Usually no centralized authority
Deployed in adverse or hostile environment
Prevention sec.-key distrib. Mgmt. schemes doesnt work once the node is compromised and
the secrets leak. Insiders can cause greater
damage.

IDS-second line of defence

IDS - dynamically monitors the system to detect
compromise of confidentiality, availability and
integrity.
Two common types misuse based - stores database of known attacks
anomaly based - creates normal profile of system states
or user behaviors (difficult to built, mobility
challenges)

Specification based - manually developed specs,

time-consuming

ID in MANET - attacks
Routing logic
compromise blackhole, routing
update storm,
fabrication,
Traffic Distortion dropping, coruption,
flooding
Others - rushing,
wormhole, spoofing

MANET - Existing ResearchZhang et al

Agent attached to each node, performs ID &
response individually
Unsupervised method to construct & select feature
set (dist, velocity, # hops, etc)
Pattern classification problem - apply
RIPPER(decision tree for rule induction) & SVM
Light (support vector machine, when data cannot
be classified by set of features) algorithms
Post Processing - to eliminate false alarms

MANET - Existing Research

Huang et al
Cross-Feature Analysis-learning based method to
capture correlation patterns.
L featires - f1,f2,,fL
fi - feature characterizing topology or route
activities
Solve classification problem Create Set Ci:{f1,,fi-1,fi+1,,fL}, used to
identify temporal correlation between one feature
and all the other features.
Ci - very likely to predict in normal
circumstances, very unlikely during attack

MANET - Existing Research

Huang and Lee
Collaboration with neighbors - broader ID range - more
accurate, more information bout attacks
Cluster based detection scheme - FSM - Initial, Clique,
Done, Lost
Ad hoc On Demand Distance Vector (AODV) algorithm
EFSA - detect state and transition violations
Specification based approach, detects abnormal patterns
and anomalous basic events.

MANET - Existing Research

Marti et al
Watchdog and Pathrater to identify and respond to routing
misbehaviors.
Each node verifies that his data was forwarded correctly.
DSR - dynamic source routing
Rate routes and use more reliable ones.

MANET - Existing Research

Tseng et al

Based on AODV - specification based ID

Detects run time violations
FSM - specify behaviors of AODV
Maintain RREP and RREQ messages

MANET - Existing Research Sun

et al
Use Markov Chains to characterize normal behaviors
Motivated by ZBIDS (zone based) - locally generated
alerts inside the zone
Gateway Nodes - broadcast alerts within the zone
IDMEF (message exchange format) - presented to facilitate
interoperability of IDS agents.

ID in WSN

Secure Localization
GPS not feasible
Utilization of beacon packets and beacon nodes
Du et al - utilize deployment knowledge to
confirm beacon integrity
Liu et al - filter out malicious location references
using
Mean square error
Compute inconsistency
Voting based location estimation

Secure Aggregation
Wagner - robust statistics for resilient aggregation,
truncation, trimming
Yang - Secure Hop by Hop Aggregation Protocol
(SDAP)
Divide and conquer
Commit and attest
Grubbs test
Buttyan - RANSAC paradigm for resilient aggregation.
maximum likehood estimation

Future Research Directions

Extended Kalman Filter Based
Aggregation - light weight
solution for estimation of
neighbor monitoring features
Integration of Mobility and ID
in MANET - consideration to
use link change rate as an
indication of mobility.
Collaboration of IDM and SMM
(sys. Mon.) - to address a
problem of detecting abnormal
event vs. false alarm. - ask the
surrounding nodes to confirm

Questions ???