Using Mobile Agents for Intrusion Detection in Wireless Ad Hoc Networks
A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks
description
Transcript of A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks
TRUST, Berkeley Meetings, March 19-21, 2007
A Distributed Intrusion Detection System for Resource-Constrained
Devices in Ad Hoc Networks
Adrian P. Lauf, Richard A. Peters and William H. Robinson
April 2-3, 2008
TRUST, Berkeley Meetings, March 19-21, 2007
Outline
Motivation
Methods
Results
Application to SCADA
"A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson 2April 2-3, 2008
TRUST, Berkeley Meetings, March 19-21, 2007
Outline
Motivation
Methods
Results
Application to SCADA
"A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson 3April 2-3, 2008
TRUST, Berkeley Meetings, March 19-21, 2007
What is HybrIDS?
Hybrid, Distributed, Embedd-able IDS: (HybrIDS)
Identify deviant activity on ad-hoc network
Distributed implementation strategy
Utilize multiple detection strategies
– Zero-knowledge phase– Calibration-based phase
Function on resource-constrained devices
Integrate with SCADA (Supervisory Control And Data Acquisition) networks
"A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson 4April 2-3, 2008
TRUST, Berkeley Meetings, March 19-21, 2007
Why HybrIDS for SCADA?
SCADA implementations are becoming increasingly less localized
Wireless and IP-based networks present a significant security vulnerability
Sensor/Actuator nodes have no inherent security built in
Designed with scalability in mind
"A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson 5April 2-3, 2008
TRUST, Berkeley Meetings, March 19-21, 2007
Why is HybrIDS different?
It is decentralized– Reduce dependence on a single system– Reduce power consumption
Reduce compute-intensive operations– Allows for group consensus decisions
Each unit maintains a model of the world– Reduces chance of tampering with a centralized system
It is resource constrained– Runs well on embedded Linux platforms
It is portable– Uses abstraction to eliminate context exclusivity– Coded in Java for enhanced portability
It is adaptable– HybrIDS can abstract many ad-hoc network scenarios:
Autonomous aircraft networks and avionic protocols (ADS-B) Swarm-based microrobotics Self-contained sensor nodes
"A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson 6April 2-3, 2008
TRUST, Berkeley Meetings, March 19-21, 2007
What can HybrIDS do?
Identify single or multiple anomalies on an ad-hoc network
Adaptable to various attack configurations– DOS– Timed attacks– Command injection– Network disruption
Locate deviant nodes with zero prior knowledge of system architecture
Adapt to system changes in a scalable manner
"A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson 7April 2-3, 2008
TRUST, Berkeley Meetings, March 19-21, 2007
Outline
Motivation
Methods
Results
Application to SCADA
"A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson 8April 2-3, 2008
TRUST, Berkeley Meetings, March 19-21, 2007
Simplifying by Abstraction
Node interactions classified by labels
Interaction histories recorded– Each node maintains action
histories from its point of view Abstraction permits context
independence– Applicable to any system using
predetermined actions
Action 1
Action n-1
Action n
Node 1 1 30 25
Node 2 2 32 20
Node 3 1 50 22
Node 4 12 2 80
April 2-3, 2008
TRUST, Berkeley Meetings, March 19-21, 2007
Why a hybrid approach?
Phase 1 requires no training data
Can isolate a single anomaly
Phase 2 requires training data
Can detect multiple anomalies
More flexible to system changes
Phase 1 Phase 2
Time Progression
April 2-3, 2008
TRUST, Berkeley Meetings, March 19-21, 2007
Detection Method: Maxima Analysis: Setup
Histograms formed for each connected node
– Node A will track B, C, and D.
Average system behavior obtained by averaging across observed nodes
Bins correspond to action labels
Data must be normalized to a distribution
– E.g. Gaussian, Chi2 Σ/(n-1)
Labels
.
.
.
.
.
Nod
es
Avg. behavioral PDF for system
April 2-3, 2008
TRUST, Berkeley Meetings, March 19-21, 2007
Maxima Detection Algorithm
Resultant vector yields approximate PDF
Find global maximum, exclude it
Identify, mark local maxima
Local maximum yields likely intrusion-motivated behaviors
Reverse-map this label to node with most frequent occurrence
12April 2-3, 2008
TRUST, Berkeley Meetings, March 19-21, 2007
Detection Method: Cross-correlation
13
Labels
.
.
.
.
.
Nod
es
Σ/(n
-1)
13
= Score
Average PDF
April 2-3, 2008
TRUST, Berkeley Meetings, March 19-21, 2007
Score Analysis
Average score is computed
Each score is compared to the average
Deviance determined by a threshold
Threshold Setting
Threshold Bounds Node Number
Sco
re
Mean Score LineSuspected Deviant Node
April 2-3, 2008
TRUST, Berkeley Meetings, March 19-21, 2007
Threshold Requirements
Threshold varies for each scenario– Representative of a percentage deviation required
for suspicion of a node Variability of thresholds is a weakness of
CCIDS Can cause generation of false positives
– Reduced by selecting proper threshold– Minimal baseline threshold is possible – system
may never converge
April 2-3, 2008
TRUST, Berkeley Meetings, March 19-21, 2007
Required Thresholds for Proper Detection (CCIDS)
Deviant node pervasion yields linear change in threshold
Number of nodes has negligible impact on threshold requirements
0.2 represents 100% deviation in this figure
– Detects only nodes that vary significantly
0.02 represents a 10% deviation
– More sensitive to smaller node deviations
April 2-3, 2008
TRUST, Berkeley Meetings, March 19-21, 2007
Selecting Detection Phases
HybridState objectdetermines if transitionpoint has been reached
If one of the results from CCIDS matches a suspectednode from MDS, a matchis considered found
April 2-3, 2008
TRUST, Berkeley Meetings, March 19-21, 2007
Transitioning between phases
Increasing the deviant node pervasion requires more tuning cycles
Threshold adjusted once per tuning cycle
Figure represents an average for all node sizes– # transition cycles is
independent of node cluster size
April 2-3, 2008
TRUST, Berkeley Meetings, March 19-21, 2007
HybrIDS Implementation
Implemented in Java 5 (1.5)– Introduces Code Portability
ARM9 development board target 2.73 KB memory footprint for a
35-agent system with 10 behaviors
– MDS and CCIDS use a shared data structure
Storage footprint less than 46 KB
Flexible interface implementation– TCP/UDP for network interface– Disk-based access for
simulation– RS-232/Serial interface possible
April 2-3, 2008
TRUST, Berkeley Meetings, March 19-21, 2007
Outline
Motivation
Methods
Results
Application to SCADA
"A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson 20April 2-3, 2008
TRUST, Berkeley Meetings, March 19-21, 2007
Analysis of HybrIDS Performance
HybrIDS can reliably detect deviant nodes upto 22% pervasion
25% pervasion and up removes element of determinacy
Scalability by percentage pervasion
Number of nodes in cluster does not affect scalability concerns
Graph includes total time – MDS, transition and CCIDS cycles
April 2-3, 2008
TRUST, Berkeley Meetings, March 19-21, 2007
Operational Footprint
HybrIDS with its JVM uses 5MB of application memory (Linux 2.6.22)
Maximum power requirement is 5 watts + idle power of ARM9 platform
"A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson 22April 2-3, 2008
TRUST, Berkeley Meetings, March 19-21, 2007
Outline
Motivation
Methods
Results
Application to SCADA
"A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson 23April 2-3, 2008
TRUST, Berkeley Meetings, March 19-21, 2007
HybrIDS and SCADA
HybrIDS is optimized for homogeneous ad-hoc networks
While heterogenous, SCADA contains homogeneous components that can exploit HybrIDS’s potential
HybrIDS can operate on RTU nodes within SCADA infrastructure
"A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson 24April 2-3, 2008
TRUST, Berkeley Meetings, March 19-21, 2007
HybrIDS and SCADA (cont’d)
SCADA is migrating increasingly to vulnerable network infrastructures– WAN– WLAN
HybrIDS can be used to detect attack methods on these networks– DDOS and packet drops alter interaction request
frequencies– Targeting of a specific node is easily detected by
multiple HybrIDS-enabled nodes
"A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson 25April 2-3, 2008
TRUST, Berkeley Meetings, March 19-21, 2007
Conclusion
HybrIDS provides a flexible IDS framework for ad-hoc networks
Distributed nature allows for seamless integration and reliability
Can easily integrate into existing frameworks, such as SCADA
Offers scalable performance for multiple anomaly detection
"A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson 26April 2-3, 2008
ARM9 Development Platform