Event Stream Processing for Intrusion Detection in ZigBee Home Area Networks Sandra Pogarcic,...
-
Upload
loraine-simpson -
Category
Documents
-
view
212 -
download
0
Transcript of Event Stream Processing for Intrusion Detection in ZigBee Home Area Networks Sandra Pogarcic,...
Event Stream Processing for Intrusion Detection in ZigBee Home Area NetworksSandra Pogarcic, Samujjwal Bhandari, Kedar Hippalgaonkar, and Susan Urban
Motivation
Because the ZigBee Protocol was designed for efficiency rather than security, it has an easily exploited communication protocol Use artificial intelligence to make a self healing system, which dynamically discovers new cyber attacks based off of similar attacks
References:[1] Urban S.D. and Sridharan M. 2011. CSR: Small: Adaptive Event Stream Processing. [NSF Grant No.: CNS-1005212, proposal for Software Engineering Research].[2] Anderson, R. 2001. Security Engineering: A Guide to Building Dependable Distributed Systems. John Wiley & Sons, New York.[3] Intelligent Event Processor (IEP) User's Guide. Sun Microsystems, Inc. Santa Clara, CA 2009.[4] Ploeg, J. ZigBee. 2006-2008.Taken from: http://www.specifications.nl/zigbee/zigbee_UK.php
This research is supported by NSF Grant No. CNS 1005212 & ECCS-1040161. Opinions, findings, conclusions, or recommendations expressed in this paper are those of the author(s) and do not necessarily reflect the views of NSF.
TTU 2012 NSF Research Experiences for Undergraduates Site Project
Figure 2: ZigBee Packet and architecture [4]
Objectives:
Detect attacks in a ZigBee environment Understand and exploit the vulnerabilities in the ZigBee stack protocol
Flood Attack Back-Off Manipulation
Analyze ZigBee packets from the hardware simulation to develop static rules for detection of attack scenarios Experiment with the use of event processing technology to detect attack scenarios
Intelligent Event Processing
A graphical opensource software, which performs functions on events provided in streams and relational data tables IEP uses message binding to import external data such as text files for processing IEP has several graphical operators that can perform functions on micro events The operators pass on data to different operators if the stream meets the querry’s condition Input and Ouput operators are mandatory, but more complex rules can be made by refining the conditions of what can be the output If something falls into the output based upon the rules that you set, it means that that particular sequence of events has occurred
Event Stream Processing
The detection of patterns from a data set or a data stream, which signify that an event has occurred
Can be used to create patterns or rules from pre-existing data, which can be refined to predict similar event behavior
Used here to create meta data, or domain specific rules, which will be combined with probability to dynamically define emerging attack patterns
Smart Grid
The Smart Grid is the next step in modernizing the electrical system to fit the rising demand for energy. It has an interconnected, two-way communication system, built into its infrastructure. Data and energy can dynamically be transferred through multiple pathways Home Area Network (HAN)
ZigBee
Wireless technology that is built on and expands the IEEE 802.15.4 standard Has a unanimous data standard Low cost and low power consumption Compatible with intrusion detection technologies Supports large network communication infrastructure ZigBee network parallels Smart Grid infrastructure
My Research
Apply event stream processing technology to flood attack and back-off time manipulation intrusion scenarios Identify static rules from ZigBee packets Ex: Flood Attack Pattern
If Source Addressing Mode = 11, then there is an Association protocol in place If the Intra Pan field = 0, then the Association Protocol is an Association Request (a device is trying to join the network)If this behavior happens approximately 4 times within a minute, then there is a likely chance of a flood attack
Figure 4: Parsed Zigbee Packet
Figure 5: Corresponding Packet in Wireshark, a packet analyzer
Figure 6: Basic input and output stream in IEP Figure 7: Graphical representation of a Flood Attack Pattern
Figure 3: IEP Architecture [3]
Future Directions
Integrate event stream processing with the intrusion simulation From simple patterns, dynamic intrusion detection rules or algorithms can be made using can be made using probability Expand the JADE simulation to generate ZigBee packets for Event Stream Processing Expand general rules into IEP rules
Figure 1: Smart Grid
Security Challenges
Less tested than other wireless technologies New attacks will continuously be developed Communication protocol manipulation to prevent message transmission Network jamming Physical layer attacks New attacks will continuously be developed, which are unknown to be able to address Same network key for multiple devices