View
55
Download
2
Category
Preview:
DESCRIPTION
Intrusion detection techniques in mobile ad hoc and wireless sensor networks. BO SUN, LAWRENCE OSBORNE, YANG XIAO, SGHAIER GUIZANI. Wireless Communications, IEEE Volume 14, Issue 5, October 2007. Presented by Yu-Shun Wang( 王猷順 ). Author. - PowerPoint PPT Presentation
Citation preview
Wireless Communications, IEEE Volume 14, Issue 5, October
2007
Presented by Yu-Shun Wang( 王猷順 )
BO SUN, LAWRENCE OSBORNE, YANG XIAO, SGHAIER GUIZANI
1 OP LAB, IM NTU
BO SUN [M] received his Ph.D. degree in computer science from Texas A&M University, College Station, in 2004.
He is now an assistant professor in the Department of Computer Science at Lamar University.
His research interests include the security issues of wireless ad hoc networks, wireless sensor networks, cellular mobile networks, and other communications systems.
2/75OP LAB, IM NTU
LAWRENCE OSBORNE received a Ph.D. in computer science from the University of Missouri Rolla in 1989.
He is now a professor of computer science at Lamar University.
His research interests include algorithms for routing and localization in MANETs and wireless sensor networks, databases in sensor networks, satellite networks, and distributed systems.
3/75OP LAB, IM NTU
YANG XIAO [SM] is currently with the Department of Computer Science at the University of Alabama.
He was a voting member of the IEEE 802.11 Working Group from 2001 to 2004.
His research areas are security, telemedicine, and wireless networks.
He currently serves as Editor-in-Chief for International Journal of Security and Networks, International Journal of Sensor Networks, and International Journal of Telemedicine and Applications.
4/75OP LAB, IM NTU
SGHAIER GUIZANI obtained a Ph.D. in telecommunication from the University of Quebec Trois-Rivières, Canada.
He is currently working as an assistant professor at Qatar University in the Mathematics and Computer Department.
His research interests are in the areas of optical fiber communication systems, radio over fiber, wireless network architectures, and wireless communication.
5/75OP LAB, IM NTU
1. Introduction2. Intrusion Detection Techniques3. Intrusion Detection in a MANET
— Attack Models— Existing Research
4. Intrusion Detection in a WSN— Challenges— Secure Localization in WSNs— Secure Aggregation in WSNs— Extended Kalman Filter-Based Secure Aggregation for
a WSN
5. Conclusion
6/75OP LAB, IM NTU
1. Introduction2. Intrusion Detection Techniques3. Intrusion Detection in a MANET
— Attack Models— Existing Research
4. Intrusion Detection in a WSN— Challenges— Secure Localization in WSNs— Secure Aggregation in WSNs— Extended Kalman Filter-Based Secure Aggregation for
a WSN
5. Conclusion
7/75OP LAB, IM NTU
MANET WSNCommunicat
ionThrough wireless
mechanismDeployment Environment
Often in in adverse or even hostile
environmentsComponent Mobile
nodesSensor nodes
Application Military application
Wide range application 8/75OP LAB, IM NTU
9/75OP LAB, IM NTU
• Reasons make MANETs and WSNs more vulnerable to malicious attacks
– For MANET• The features of an open medium• Dynamic topology• The absence of a central management point
– For WSN• the lack of physical security combined with
unattended operations make sensor nodes prone to a high risk of being captured and compromised.
10/75OP LAB, IM NTU
• So far, research to find security solutions for MANETs and WSNs has originated from the prevention point of view.
• However, they cannot totally eliminate intrusions.
• Therefore, intrusion detection systems (IDSs), serving as the second line of defense, are indispensable in providing a highly-secured information system.
11/75OP LAB, IM NTU
1. Introduction2. Intrusion Detection Techniques3. Intrusion Detection in a MANET
— Attack Models— Existing Research
4. Intrusion Detection in a WSN— Challenges— Secure Localization in WSNs— Secure Aggregation in WSNs— Extended Kalman Filter-Based Secure Aggregation for
a WSN
5. Conclusion
12/75OP LAB, IM NTU
Misuse-based detection encodes known attack signatures
and system vulnerabilities. If finds a match between current
activities and signatures, an alarm is generated.
But it is not effective to detect novel attacks.
13/75OP LAB, IM NTU
Anomaly-based detection creates normal profiles of system
states or user behaviors and compares them with current activities.
If a significant deviation is observed, the IDS raises an alarm.
Anomaly detection can detect unknown attacks.
However, normal profiles are usually very difficult to build.
14/75OP LAB, IM NTU
Specification-based detection combine the advantages of misuse
detection and anomaly detection. using manually developed
specifications to characterize legitimate system behaviors.
However, the development of detailed specifications can be time-consuming.
15/75OP LAB, IM NTU
1. Introduction2. Intrusion Detection Techniques3. Intrusion Detection in a MANET
— Attack Models— Existing Research
4. Intrusion Detection in a WSN— Challenges— Secure Localization in WSNs— Secure Aggregation in WSNs— Extended Kalman Filter-Based Secure Aggregation for
a WSN
5. Conclusion
16/75OP LAB, IM NTU
Attack Model Routing Logic Compromise
typical attack scenarios is modification of various fields in routing control packets.
Traffic Distortion attacks such as packet dropping, packet corruption, data flooding.
combination of attacks mentioned previously.
17/75OP LAB, IM NTU
Attack modelRouting Logic Compromise
Traffic Distortion
Purpose Disarrange routing save power or prevent other from receiving data
Attack method
To modify routing control packets
randomly, periodically, or selectivelydrop received packets
Attack target
route request,reply, or error messages.
Every packet that attacker received might be an attack target.
Example Black hole, routing update storm
Packet corruption, data flooding
18/75OP LAB, IM NTU
1. Introduction2. Intrusion Detection Techniques3. Intrusion Detection in a MANET
— Attack Models— Existing Research
4. Intrusion Detection in a WSN— Challenges— Secure Localization in WSNs— Secure Aggregation in WSNs— Extended Kalman Filter-Based Secure Aggregation for
a WSN
5. Conclusion
19/75OP LAB, IM NTU
Existing Research feature selection
through learning-based method to utilize cross-feature analysis to capture inter-feature correlation patterns.
pattern classification based on an identified feature set with decision-tree equivalent classifier for rule induction, system can classify observed activities as normal or intrusive.
20/75OP LAB, IM NTU
Existing Research(cont.) watchdog and pathrater
21/75OP LAB, IM NTU
E
Existing Research(cont.) zone-based intrusion detection system
(ZBIDS)
22/75OP LAB, IM NTU
1. Introduction2. Intrusion Detection Techniques3. Intrusion Detection in a MANET
— Attack Models— Existing Research
4. Intrusion Detection in a WSN— Challenges— Secure Localization in WSNs— Secure Aggregation in WSNs— Extended Kalman Filter-Based Secure Aggregation for
a WSN
5. Conclusion
23/75OP LAB, IM NTU
Challenges Similar to security research in a MANET,
many approaches in a WSN have been proposed.
But due to many features, prevention-based schemes are inadequate after sensor nodes have been compromised.
24/75OP LAB, IM NTU
Challenges(cont.) A WSN has a limited power supply, thus
requiring energy-efficient protocols and applications to maximize the lifetime of sensor networks.
Besides, Sensor nodes are prone to failure. This results in frequent network topology changes.
Also, a WSN usually is densely deployed, causing serious radio channel contention and scalability problems.
25/75OP LAB, IM NTU
1. Introduction2. Intrusion Detection Techniques3. Intrusion Detection in a MANET
— Attack Models— Existing Research
4. Intrusion Detection in a WSN— Challenges— Secure Localization in WSNs— Secure Aggregation in WSNs— Extended Kalman Filter-Based Secure Aggregation for
a WSN
5. Conclusion
26/75OP LAB, IM NTU
Secure Localization Due to cost considerations, it is still not
practical to equip every sensor node with a global positioning system (GPS) receiver.
To utilize localization protocols, some special nodes, called beacon nodes, often are used.
However, beacon nodes may be compromised, thus providing incorrect information to non-beacon nodes.
27/75OP LAB, IM NTU
Secure Localization(cont.) Utilizing deployment knowledge of a WSN
and based on the fact that probability distribution functions of sensor locations usually can be modeled prior to deployment.
[11] W. Du, L. Fang, and P. Ning, “LAD: Localization Anomaly Detection for Wireless Sensor Networks” propose that each non-beacon node can efficiently detect location anomalies.
28/75OP LAB, IM NTU
Assume that sensor nodes are static once they are deployed.
define the deployment point of a sensor as the point location where the sensor is to be deployed.
also define the resident point of a sensor as the point location where the sensor finally resides.
29/75OP LAB, IM NTU
30/75OP LAB, IM NTU
After deployment, each node can estimate its neighbor based on deployment knowledge.
Then, compared the estimate result with its actual observation.
If the inconsistent rate is higher than a threshold, we conclude there is abnormal.
31/75OP LAB, IM NTU
Process overview
After Deployment
Actual observation
Estimation based on deployment knowledge
inconsistent rate > threshold
?
There exists anomaly
No anomaly
Yes
No
32/75OP LAB, IM NTU
Three metrics for anomaly detection The difference metric The add-all metric The probability metric
Among these, the Diff metric performs the best among the three metrics.
33/75OP LAB, IM NTU
The difference metric
屬於 group i 的 node ,其成為位於 Le 上 node 之鄰近點的機率
group i 的 node 總數
Le 之座標位置
Group i 之 deployment point
Node 之 actual observation 34/75OP LAB, IM NTU
Obtaining the Thresholds Using Training we are targeting at a specific
localization application in sensor networks.
Thus, it is likely to observe most (if not all) of the normal behaviors during the training process.
35/75OP LAB, IM NTU
36/75OP LAB, IM NTU
1. Introduction2. Intrusion Detection Techniques3. Intrusion Detection in a MANET
— Attack Models— Existing Research
4. Intrusion Detection in a WSN— Challenges— Secure Localization in WSNs— Secure Aggregation in WSNs— Extended Kalman Filter-Based Secure Aggregation for
a WSN
5. Conclusion
37/75OP LAB, IM NTU
Secure Aggregation in WSNs Aggregation has become one of the
required operations for a WSN to save energy.
Aggregation function maybe: average, sum, maximum, minimum, count, etc.
If one node is compromised, it can send false reports to other nodes.
High-level nodes (i.e., nodes closer to the root) get higher influence to aggregation result than low-level nodes.
38/75OP LAB, IM NTU
Secure Aggregation in WSNs(cont.)
39/75OP LAB, IM NTU
Secure Aggregation in WSNs(cont.) Using robust statistics for resilient aggregation.
Through truncation and trimming techniques to help improve the resilience of aggregation functions.
RANSAC (random sample consensus) is an outlier elimination technique. uses maximum likelihood estimation (MLE) as a
estimating method. Outlier measurements can be filtered out, even
if a large quantity of sensor nodes is compromised.
But what if there indeed occur some anomaly?
40/75OP LAB, IM NTU
Secure Aggregation in WSNs(cont.) Secure Hop-by-Hop Data Aggregation
Protocol [14] Y. Yang et al., “SDAP: A Secure Hop-by- Hop Data Aggregation Protocol for Sensor Networks” ACM Mobihoc ’06, Florence, Italy, 2006, pp. 356–67.
Different from approaches mentioned before, this one is not simply eliminate those ”outlier”.
In such way, it can prevent from removing “real” data.
41/75OP LAB, IM NTU
Assume the BS cannot be compromised. Also, it has a secure mechanism to
authenticate its broadcast messages to all the nodes.
Assume every node can verify the received broadcast messages, and has an individual secret key shared with the BS.
Further, there is a unique pairwise key shared between each pair of neighboring nodes.
42/75OP LAB, IM NTU
we do not consider the attack where a compromised node forges a false reading of its own as a value changing attack. the impact of such an attack is usually
limited. such a compromised node is very much like a
faulty sensor node. In this case, we have to rely on an outlier
detection algorithm or the content-based attestation scheme.
43/75OP LAB, IM NTU
Process overview
Tree Construction
Node grouping & data aggregation
Process end
Exist suspicio
us value?
Start verification
Any abnormal
node detect?
Trust the value
Discard the suspicious value
no
yes
yes
no
44/75OP LAB, IM NTU
Tree Construction Initially, the root broadcasts a tree
construction message includes its own id and its depth to be 0.
After receiving a broadcast message, each node plus the depth value with one and set its parent to be the broadcasting node.
This process continues until all nodes have received this message.
45/75OP LAB, IM NTU
Tree Construction(cont.) After constructing the aggregation tree,
the BS can disseminate the aggregation query message through this tree.
A random number(Sg) which is added to the query, is used for the probabilistic grouping in the next phase.
46/75OP LAB, IM NTU
Node grouping & data aggregation In this phase, SDAP randomly groups all
the nodes into multiple logical groups and performs aggregation in each group.
Grouping is conducted through the selection of leader node for each group.
Leader nodes are selected based on probabilistic method with the count values and the grouping seed Sg
received in the last phase.
47/75OP LAB, IM NTU
Node grouping & data aggregation(cont.) With the random number(Sg), the BS can
rotate the leaders among nodes instead of fixing their roles.
Once a node becomes the leader, all the nodes in its subtree that have not been grouped yet become members of its group.
the resulted group sizes are roughly even with a small deviation since the grouping function is uniformly distributed.
48/75OP LAB, IM NTU
Node grouping & data aggregation(cont.)
49/75OP LAB, IM NTU
Node grouping & data aggregation(cont.) During aggregation, each aggregation
packet contains the sender’s id, an aggregated data value, and a count value.
In addition, a flag field is contained in each packet to show whether the aggregate needs to be aggregated further or not.
Three types of aggregation is performed Leaf node aggregation Intermediate node aggregation Leader node aggregation
50/75OP LAB, IM NTU
Node grouping & data aggregation(cont.) Leaf node aggregation
Leaf node just sends its id, data and count value to its parent (it also keeps a local copy until the attestation phase is completed).
Packet formNode id
Aggregation flagCount value The reading of node u
51/75OP LAB, IM NTU
Node grouping & data aggregation(cont.) Intermediate node aggregation
When an intermediate node receives an aggregate from its child node, it first checks the flag.
for a received packet with flag 0, a node first keeps a local copy of the aggregates (until the attestation phase is done), and then decrypts the data and performs some simple checking on the validity of the count.
If the aggregate packet does not pass this checking, it will discard the packet. Otherwise, it will further aggregate its own reading with all the aggregates received.
52/75OP LAB, IM NTU
Node grouping & data aggregation(cont.) Intermediate node aggregation
Node idAggregation flag Count value The aggregated value
53/75OP LAB, IM NTU
Node grouping & data aggregation(cont.) Leader node aggregation
Leader node will encrypts the new aggregate with its individual key and sets the flag to ‘1’ in its aggregation packet.
Means this packet may transfer through more than one hop
Aggregation flag is set to 1
54/75OP LAB, IM NTU
Node grouping & data aggregation(cont.) When a sensor node receives an
aggregation packet with flag ‘1’, it records the id of the group leader and the incoming link into its forwarding table.
In this way, when the BS sends out an attestation request later regarding this group, the node knows where to forward this request.
55/75OP LAB, IM NTU
Exist suspicious value? First, BS will verify whether this packet is
from a legitimate group leader. Then, use Grubbs’ test to detect
outlier since we expect the attacker to forge an aggregated data that have a non-trivial influence on the final result.
Those groups which contain outlier become suspicious ones.
56/75OP LAB, IM NTU
Verification The BS broadcasts an attestation message to
the group leader which need to be attested. Leader node dynamically decides the next hop
on the attestation path based on probability. A selected child runs the same process to
select one of its own children to form the path. Each node on the path sends back its count
value and its own reading. Besides, its parent also asks its sibling to send back their count values, aggregation data, and their MACs.
57/75OP LAB, IM NTU
Verification(cont.) Assume that the BS wants to attest the
group with leader node x and the attestation path in this group is x−w−v−u.
58/75OP LAB, IM NTU
Verification(cont.) After the BS decrypts the received data,
it first verifies whether w, v and u are really the nodes on the attestation path.
Then, it verifies whether the count value of every node is correct.
59/75OP LAB, IM NTU
Verification(cont.) If those checks succeed, BS
aggregates the data by itself and reconstructs the aggregation result.
It can also reconstruct MACx using these data.
60/75OP LAB, IM NTU
Any abnormal node detect? the BS compares the reconstructed
aggregation result with the previously received one.
Then, BS will check whether the MAC value is consistent.
Only when both values match the previously received ones, the BS accepts the data.
Otherwise, the BS knows that some node in this group has been compromised and it discards this group aggregate.
61/75OP LAB, IM NTU
1. Introduction2. Intrusion Detection Techniques3. Intrusion Detection in a MANET
— Attack Models— Existing Research
4. Intrusion Detection in a WSN— Challenges— Secure Localization in WSNs— Secure Aggregation in WSNs— Extended Kalman Filter-Based Secure Aggregation for
a WSN
5. Conclusion
62/75OP LAB, IM NTU
EKF-Based Secure Aggregation In a WSN, consecutive observations of sensor nodes
usually are highly correlated in time domains. This correlation, along with the collaborative
nature of WSNs, makes it possible to predict future observed values based on previous values.
[16] B. Sun et al., “Integration of Secure In-Network Aggregation and System Monitoring for Wireless Sensor Networks,” IEEE ICC ’07, Glasgow, U.K., June 2007. proposed a viable approach to estimate aggregated in-network values.
63/75OP LAB, IM NTU
Assumptions the majority of nodes around some
unusual events are not compromised. falsified data transmitted by the
compromised node is significantly different from the real value.
64/75OP LAB, IM NTU
Process overview
Node broadcast its
reading/aggregation
Near nodes overhear this
reading/aggregation
Apply EKF and
compare these values
System normal
Awake other nodes reside
around
Apply EKF and
compare these values
System normal
System abnorm
al
Inconsistent rate over a threshold
Inconsistent rate under a
threshold
May process many timesInconsistent
rate over a threshold
Inconsistent rate under a
threshold65/75OP LAB, IM NTU
EKF-Based Secure Aggregation for a WSN By setting a proper process model and
measurement model for WSN, we can use EKF to obtain an accurate estimate.
Also, time update and measurement update equations are also required.
66/75OP LAB, IM NTU
Notations
67/75OP LAB, IM NTU
Process model
Measurement model
the real value at time tk+1表自 xk 至xk+1 之間的改變
process noise at time tk
Measured value at time tk 表 xk 和 zk 之間的關係函數
measurement noise at time tk
68/75OP LAB, IM NTU
Time update equation State Estimate Equation
Error Project Equation
a priori estimate of xk+1 at time tk+1
function relating xk to xk+1
a priori estimate error at time tk+1
variance of wk (process noise at time tk)at time tk
Applying a first order Taylor series approximation to F(x)
69/75OP LAB, IM NTU
Measurement update equation Kalman Gain
Error covariance update
Estimate update with the measurement zk+1
Kalman gain at time tk+1 a priori estimate error at time tk+1
variance of vk (measurement noise)at time tk
a posterior estimate error at time tk+1
a priori estimate error at time tk+1
a posterior estimate error at time tk+1
Difference between measured value and posterior estimate at time tk+1
70/75OP LAB, IM NTU
The time update equations are responsible to predict the real value(ˆx−
k+1) and estimate error (P−k+1) in
order to obtain a prior estimate at the next time step (tk+1).
The measurement update equations are responsible for incorporating(zk+1) into the a prior estimate to obtain a statistical optimal a posterior estimate (ˆx+
k+1).
71/75OP LAB, IM NTU
Verification
A B1. 收到 B 傳送之zk+12. 利用在 tk 時所得 之 ˆx+
k 算出ˆx−
k+1
3. 計算 |ˆx−k +1 − zk+1|
4. 若該值小於既定的 threshold ,則無異常
72/75OP LAB, IM NTU
Simulation
73/75OP LAB, IM NTU
1. Introduction2. Intrusion Detection Techniques3. Intrusion Detection in a MANET
— Attack Models— Existing Research
4. Intrusion Detection in a WSN— Challenges— Secure Localization in WSNs— Secure Aggregation in WSNs— Extended Kalman Filter-Based Secure Aggregation for
a WSN
5. Conclusion
74/75OP LAB, IM NTU
Intrusion detection systems, if well designed, effectively can identify malicious activities and help to offer adequate protection.
IDS for both MANETs and WSNs requires a distributed architecture and the collaboration of nodes to make accurate decisions.
Solutions must consider resource constraints in terms of computation, energy, memory, and communication.
75/75OP LAB, IM NTU
OP LAB, IM NTU 76/75
Recommended