You are on page 1of 15
Intrusion Detection Techniques in Mobile Ad Hoc and Wireless Sensor Networks - IEEE October 2007 CMSC 681 - Advanced Computer Networks Oleg Aulov MANET and WSN  No wires, Limited battery life, Limited memory and processing capability  No base stations, Mobile nodes, Nodes relay data (act as routers)  Usually no centralized authority  Deployed in adverse or hostile environment  Prevention sec.-key distrib. Mgmt. schemes doesn’t work once the node is compromised and the secrets leak. Insiders can cause greater damage. IDS-second line of defence  IDS - dynamically monitors the system to detect compromise of confidentiality, availability and integrity.  Two common types  misuse based - stores database of known attacks  anomaly based - creates normal profile of system states or user behaviors (difficult to built, mobility challenges)  Specification based - manually developed specs, time-consuming ID in MANET - attacks  Routing logic compromise blackhole, routing update storm, fabrication,  Traffic Distortion dropping, coruption, flooding  Others - rushing, wormhole, spoofing MANET - Existing ResearchZhang et al  Agent attached to each node, performs ID & response individually  Unsupervised method to construct & select feature set (dist, velocity, # hops, etc)  Pattern classification problem - apply RIPPER(decision tree for rule induction) & SVM Light (support vector machine, when data cannot be classified by set of features) algorithms  Post Processing - to eliminate false alarms MANET - Existing Research Huang et al  Cross-Feature Analysis-learning based method to capture correlation patterns.  L featires - f1,f2,…,fL  fi - feature characterizing topology or route activities  Solve classification problem  Create Set Ci:{f1,…,fi-1,fi+1,…,fL}, used to identify temporal correlation between one feature and all the other features.  Ci - very likely to predict in normal circumstances, very unlikely during attack MANET - Existing Research Huang and Lee  Collaboration with neighbors - broader ID range - more accurate, more information bout attacks  Cluster based detection scheme - FSM - Initial, Clique, Done, Lost Ad hoc On Demand Distance Vector (AODV) algorithm  EFSA - detect state and transition violations  Specification based approach, detects abnormal patterns and anomalous basic events. MANET - Existing Research Marti et al  Watchdog and Pathrater to identify and respond to routing misbehaviors.  Each node verifies that his data was forwarded correctly. DSR - dynamic source routing  Rate routes and use more reliable ones. MANET - Existing Research Tseng et al     Based on AODV - specification based ID Detects run time violations FSM - specify behaviors of AODV Maintain RREP and RREQ messages MANET - Existing Research Sun et al  Use Markov Chains to characterize normal behaviors  Motivated by ZBIDS (zone based) - locally generated alerts inside the zone  Gateway Nodes - broadcast alerts within the zone  IDMEF (message exchange format) - presented to facilitate interoperability of IDS agents. ID in WSN Secure Localization  GPS not feasible  Utilization of beacon packets and beacon nodes  Du et al - utilize deployment knowledge to confirm beacon integrity  Liu et al - filter out malicious location references using  Mean square error  Compute inconsistency  Voting based location estimation Secure Aggregation  Wagner - robust statistics for resilient aggregation, truncation, trimming  Yang - Secure Hop by Hop Aggregation Protocol (SDAP)  Divide and conquer  Commit and attest  Grubbs’ test Buttyan - RANSAC paradigm for resilient aggregation. maximum likehood estimation Future Research Directions  Extended Kalman Filter Based Aggregation - light weight solution for estimation of neighbor monitoring features  Integration of Mobility and ID in MANET - consideration to use link change rate as an indication of mobility.  Collaboration of IDM and SMM (sys. Mon.) - to address a problem of detecting abnormal event vs. false alarm. - ask the surrounding nodes to confirm Questions ???