Alert Aggregation in Mobile Ad-Hoc Networks
-
Upload
rooney-sparks -
Category
Documents
-
view
24 -
download
0
description
Transcript of Alert Aggregation in Mobile Ad-Hoc Networks
Alert Aggregation in Mobile Ad-Hoc Networks
By
Bo Sun, Kui Wu, Udo W. Pooch
Background
• Manet- Mobile Adhoc NETwork• Routing in MANETs is difficult
– mobility causes frequent network topology changes
– When network nodes move, established paths may break and the routing protocol must dynamically search for other feasible routes
• Protection of routes from malicious agents is tough!
Proposed technique
• Protection of routing protocols in MANET’s using – Non-overlapping Zone-Based Intrusion
Detection System for MANETs.
• Alert Aggregation algorithm with provides low false alarms
Threat Model
• Attacker: 1• Victims: 2,3,4,7,8• Attacker Objective: 3
3
1
4
8
5
7
2
6
Falsified RREP
{2,4,9,7,1,5,3}
Assumptions
• Network can be divided into non-overlapping zones
• Local IDS agent is tamper resistant
• Attacker uses fake address; but does not change it dynamically
ZBIDS Framework
• Gateway nodes 4, 7, 8
• Intra-zone nodes report to gateway nodes
IDS Agent
Determination of P
• Determination of P depends on – Attack intensity, Attack time, Node placement
• If P is low– Gateway nodes can detect attacks=> high
false positive
• Else– Gateway nodes can miss attacks => Low
false positive
Determine_p• P = ht * ptest + ha * Pattack
Where ht and ha are false positive ratio and detection ratio
Alert Aggregation
• Alert Aggregation algorithm– Detection sensitivity decreases with the
increase in the number of attackers– How about colluted attack’s ?
Performance Metrics
• False Positive Ratio: percentage of decisions in which normal alert aggregations are flagged as anomalous
• Detection ratio: number of gateway nodes raising correct alarms divided by total number of gateway nodes which should raise alarms in the anomalous data