![]() |
SCALABLE AND EFFICIENT PROTOCOL FOR DETECTING INTRUSIONS IN WIRELESS AD-HOC NETWORKS - Printable Version +- Free Academic Seminars And Projects Reports (https://easyreport.in) +-- Forum: Seminars Topics And Discussions (https://easyreport.in/forumdisplay.php?fid=30) +--- Forum: Engineering Seminars Topics (https://easyreport.in/forumdisplay.php?fid=7) +---- Forum: Computer Science Seminar Topics (https://easyreport.in/forumdisplay.php?fid=12) +---- Thread: SCALABLE AND EFFICIENT PROTOCOL FOR DETECTING INTRUSIONS IN WIRELESS AD-HOC NETWORKS (/showthread.php?tid=41319) |
SCALABLE AND EFFICIENT PROTOCOL FOR DETECTING INTRUSIONS IN WIRELESS AD-HOC NETWORKS - ABHIJEET - 10-04-2017 [attachment=3700] A SECURE, SCALABLE AND EFFICIENT PROTOCOL FOR DETECTING INTRUSIONS IN WIRELESS AD-HOC NETWORKS Presented By: Dr.V.V.Rao 1 L.Jaba Sheela 2 S. Vijayendran 3 Professor & HOD, Panimalar Engg. College Chennai, Tamilnadu, India Asst.Professor, Panimalar Engg. College, Chennai, Tamilnadu, India PG Scholar, Panimalar Engg. College Chennai, Tamilnadu, India ABSTRACT infrastructure. Examples of these communications, search and rescue are battleeld Intrusion detection has, over the last few years, assumed paramount importance within the broad realm of network security, more so in the case of wireless ad hoc networks. These are networks that do not have an underlying infra- structure; the network topology is constantly changing. The inherently vulnerable characteristics of wireless ad hoc networks make them susceptible to attacks, and it may be too late before any counter action can take effect. Second, with so much advancement in hacking, if attackers try hard enough they will eventually succeed in infiltrating the system. This makes it important to constantly (or at least periodically) monitor what is taking place on a system and look for suspicious behavior. In this paper, we present a secure, scalable and efficient protocol for detecting malicious and misbehaving nodes. The proposed protocol is distributed and cooperative with very low false positives. operations, university campus, sensor networks etc. The rapid deployment of these networks has brought forward many security vulnerabilities that need to be addressed. Wireless ad-hoc networks are particularly exposed to attacks due to its properties of open shared medium, dynamically changing topology, co-operative algorithms and lack of centralized monitoring and management .Unlike wired networks ad-hoc networks require dynamic trust relationships between the nodes in the network. Though there have been attempts in designing algorithms for detecting intrusions in literature[1] but either they are not designed keeping in view the properties of ad-hoc network or are insecure, inefficient and perform badly in terms of high false positives. We utilize the redundancy, mobility provided by the ad-hoc networks to design a secure, efficient, adaptable protocol for intrusion detection. 2.0 Common Attacks in Ad-hoc Networks 1. Packet Dropping: Nodes out of range of each other An adhoc network is a collection of autonomous nodes that communicate with each other by forming a multi-hop radio network and maintaining connectivity in a decentralized manner. Wireless adhoc networks are rapidly gaining popularity for the increase and exibility of deployment. The main applications of these networks are found in scenarios where it is difficult to install wired infrastructure, where wired networks are not cost effective or where there is insufficient time for provision of such depend on intermediate nodes to forward their packets. A malicious node can easily drop packets, thus affecting the communication in the network seriously. This is particularly easy in current systems as most allow filtering packets depending on MAC and ip addresses. An intelligent use of these filters can allow this attack to be mounted practically using existing hardware. Detecting such attack is made difficult by the legitimate dropping due to congestion. Masquerading/Spoofing: Protocols with insufficient False Routing Information: In ad-hoc networks each node acts as a router. A malicious node can easily provide wrong routing information to an unsuspecting node and make all the traffic to pass through it or disrupt the communication entirely. Many security aware routing protocols have been proposed to reduce such attacks. The wrong routing information can be due to changing topology or due to malicious intent. The challenge in detecting such attack is to comp ensate for the changing topology of the network. Jamming: Jamming is denial of service attack aimed in disrupting communication between nodes by capturing the wireless medium around these nodes. The medium can be captured by flooding packets at the same requency used by target nodes. With this attack the targeted nodes can be completely cut-off from the network. Again one should prevent false alarms due to congestion Replay attacks: If a node isn't able to forge or even decrypt packets, it may still replay old, outdated messages and hope to confuse the routing protocol or achieve goals similar to forged messages. In order to replay messages, they just need to be observed. Position any path is not necessary, although it may be necessary to be in transmission range of the recipient when replaying the message. Attacks on underlying encryption: IEE802.11 based networks use WEP for encryption. The pitfalls of the algorithm are very well known and it virtually fails to provide any cryptographic security. 3. RELATED WORK Zhang, Lee[1] gives introduction to intrusion detection in wireless adhoc net-works. They describe how the characteristics of wireless affects intrusion detection and list the differences between wired and wireless networks that make intrusion detection in ad-hoc networks more challenging. The authors also identify the assumption in any intrusion detection system that the malicious /intruder behavior is observable and can be distinguished from normal behavior. The authors have proposed a distributed and co-operative intrusion detection and response system. In their proposed architecture (Figure.1) every node participates in intrusion detection and response. Each IDS agent is responsible for detecting signs of intrusion locally and independently but may cooperate with neighboring neighbors to investigate in a broader range. The response can be congured to be as both local and global. authentication are vulnerable to spoofing. A node can impersonate as a target node and can falsely implicate him as malicious or get access to classified information. The use of cryptographic measures can minimize such attack. Eavesdropping: An outsider can listen to traffic and divulge the information to others. Sybil Attack: Many protocols employ redundancy to counter the lack of central authority and prevent network from malicious attacks. These protocols assume that a malicious node cannot take multiple identities. A malicious node assuming can easily defeat this redundancy. A good node communicating with multiple nodes for same information to make use of redundancy may actually be communicating with a single node. Insecure Protocols: Insecure protocols, i.e. protocols without authentication, can be attacked by outsiders. Figure 1. The IDS architecture for wireless ad-hoc networks The authors also present the conceptual view of an IDS agent. Figure 2 shows the conceptual view proposed by the authors. The data collection module is responsible for collecting local audit traces and activity logs. Next the local detection engine will use this data to detect local anomaly. Detection that need broader data sets or that require collaboration between IDS agents use cooperative detection engine. Intrusion response actions are provided by both local response module and global response module. Finally a secure communication channel provides a high condence communication channel between nodes. acknowledging the challenge and sending a verify behavior message to all its neighbors. The respondents(neighbors) respond to this message by sending the observed value of degree of maliciousness of the accused. The accused node calculates the group's trust in its behavior using these received values. The calculated group trust message is broadcasted to neighbors along with received responses. The message contains the expiry time and is signed by the accused. All the messages are cryptographically secured by public key cryptography. The messages also include timestamps to prevent replay attacks. Figure 2. A conceptual model for IDS agent 4. PROTOCOL The protocol to detect malicious or misbehaving nodes consists of following subcomponents: Monitor, Optimizer, Trust Manager, Trust Propagator and Whistle Blower. Trust management scheme is part of Trust Manager and Trust Propagator. 4.1 Monitor Figure 3. Optimizer The Monitor observes the neighboring nodes by passively listening to their communication and copying random packets to verify deviations from the normal behavior. For example for detecting packet drops and modifications, the monitor copies the incoming packet to the neighboring node and checks the packet send by the neighboring node for drops and modifications. The collected data is audited for deviation from normal behavior. The deviation from normal behavior of a neighbor is used as indicator for the unbiased degree of maliciousness. By unbiased we mean that the degree of maliciousness for a neighbor in a time interval is calculated independently of its past behavior. If the deviation exceeds the pre-set threshold Optimizer is called. 4.2 Optimizer Optimizer computes the majority consensus of 1-hop neighbors of the accused about its behavior. Figure 3 shows the Optimizer mechanism. Optimizer is optimal in terms of communication costs. Upon being activated by a local alarm, the accuser node challenges the offending node to verify its behavior as observed by its neighbors. The accused node on receiving the challenge respond by 4.2.1 Group Trust Certificate The group trust certificate is the recommendation of a group of nodes about the behavior of the accused during a particular period of time to other nodes in the network. It is the basic trust entity that is exchanged in the network. For computing group trust value from received responses any consensus based scheme can be used. We have used the difference of absolute trust and average degree of maliciousness of the majority of the respondents. Majority is defined as the larger of the two groups obtained by partitioning the respondents by comparing their observed degree of maliciousness with a preset threshold. We will later show that our protocol is secure against any possible attack. 4.2.2 Trust Manager Every node maintains a global trust state for maliciously behaving nodes in the network. The trust state is updated upon receiving a new trust certificate. Trust Manager is responsible for verifying the consistency of the group trust certificates received, caching them and updating the global trust state for the issuer node. By consistency we mean that node verifies whether every neighboring Ad-Hoc Networks response has been correctly considered in calculating group responses and their messages have not been tempered with. Note that the cryptographic security can be used to detect any tempering. The contribution of the trust certificate in final trust value depends on the global trust state of the majority neighbors of the accused. If the majority in the group observe that the node is acting maliciously that is trust value is low then the received certificate is propagated to neighboring nodes. If the calculated trust value for a node dips below cut-off trust level for non-malicious node, a global alarm is raised and Whistle blower is pressed upon. 4.2.3 Updating Global Trust State The global trust state is updated whenever a correct trust certificate for a node is received. We suggest a cumulative function for updating the trust value the node where Told, Tnew, Tcerti ficate are the old trust state value, new trust state value and group recommended trust value respectively. (1 T new ) (1 T old ) (1 Tcertificat e) where 1 2 3 Parameters a , are the weightage factor for the old and new evidence respectively. Parameter d is the trust replenishment factor over time. The weightage factor depends on many parameters which counter the effect of false alarms and wrong accusations. The parameter a1 is given by There are many issues in maintaining a global trust state in ad-hoc network. First is identification of nodes which are required to manage trust state for other nodes in the network. This information should be available to all the nodes in the network and require a dynamic mechanism for querying and updating the trust state. Any such scheme should be robust enough to work under network partitioning, misinformation and packet dropping attacks and should be bandwidth friendly. We solve these problem by using a combination of redundancy and mobility in ad-hoc network to our advantage. Trust Propagator use mobility for propagating trust certificates. Whenever a new trust certificate is issued it is initially flooded to subset of nodes at least hop distance from the accused in the network. Note that these nodes can be multiple hops away. This scheme is coupled with dynamic exchange of certificates between neighboring nodes after every time threshold. The number of elements in the subset, 'F' determines the effective convergence time of this information among nodes who are and would be neighbors of the accused. Intuitively this can be understood by the fact that initial flooding allows this certificate to be available to set of nodes who are at least distance from the accused and are likely to be first to be the neighbors of the accused. While the accused move through the network, every node in the network would have received certificates through flooding or exchange mechanism. The number of hops required to be flooded can be determined dynamically by making neighbors of the accused send neighborhood information along with observed behavior to the accused. 1 majority i w i t i W Note that certificates can be exchanged by piggy backing on routing packets thus incurring no extra communication cost. The exchange mechanism and flooding also allow detection of tempering of packets and provide robustness against packet dropping attacks. A node can verify certificate in its local cache with where wi, ti are weightage of a mojority node and its trust value respectively. W is a factor of total network size. a2 the weighatge that the new evidence gets a3 is defined for the number of certificates (k) received from the same group or its subset in some threshold time interval. neighboring nodes to detect any tempering . Note that a node caches only unexpired certificates. The above scheme is also robust against network partitioning and no overhead is required for querying as every node maintains trust state of the nodes who are behaving maliciously. Usually the number of misbehaving or malicious nodes is very low in the network which coupled with low false alarm rate due to group verification allow low storage 3 0 if k 1 ; if k 1 costs. This scheme also allows node to update its own trust state table depending on user policy. For example a user may want to give more weight age to certificates about malicious behavior of a node directly observed by the node. Note that we do not require to keep trust information about nodes whose trust value is above some 4.3 Trust Propagator pre-set threshold. Ad-Hoc Networks 4.4 Whistle Blower Whistle Blower handles the response on detecting a global alarm about a malicious or misbehaving node in the network. We suggest a majority voting mechanism among the nodes who have interacted recently with the accused node. A possible way to do is to flood global alarm message to the entire network followed by voting by the electorate consisting of nodes who have recently interacted with the accused. 4.5 State Diagram As shown in Figure 4, each node monitors the behavior of its next hop-neighbors. If a suspicious event is detected above a predefined threshold a local alarm is raised and a challenge is send by the accuser to the accused. The alarm is verified through a majority consensus by the optimizer. The trust manager updates the trust state for the accused on receiving a new certificate. If the new trust state value dips below the pre-set threshold a global alarm is raised and whistle blower is called. If the received trust value of the certificate is significant enough but below value for global alarm, the trust certificate is propagated to other nodes in the network. The trust propagator selectively floods the certificate depending on the connectivity of the group. These certificates are also periodically exchanged between the nodes in the network. Figure 4. Finite State machine within each node 5. PERFORMANCE METRICS We evaluate our algorithm on the following metrics. False Positive Rate: This is the percentage of non-malicious nodes, which are incorrectly identified as malicious. nodes detected by the algorithm which uses only local monitoring over a given period. Total Convergence Time: This the total time taken for a certificate to be propagated to all non- malicious nodes in the network. Effective Convergence time: This is the minimum time after which all future and past neighbors of an accused node have received the certificate. This metric is important as it determines the convergence time to the set of nodes which actually participate in intrusion detection response policy and monitor the behavior of the malicious node. Communication Overhead: The communication overhead depends on number of false alarms that need to be propagated in the network and communication protocol used. We use a combination of controlled flooding and 1- hop exchanges that allow lower communication costs as compared to flooding only as exchanges can be piggybacked on routing packets. 6. SIMULATION ENVIRONMENT We use a version of Network Simulator ns[2] .The 802.11 mac layer implemented in ns is used for simulation. The simulation was done for 1000 seconds on a 50 node network in 1000m 1000m rectangular area. The traffic consisted of nine constant bit rate flows over UDP. The confirmed intrusion threshold is taken as 0.4. The nodes with trust between 0.4 and 0.9 are classified as suspected and for trust values above 0.9, the nodes are assumed to be trusted. The certificates are exchanged every 1 minute. REFERENCE Yongguang Zhang and Wenkee Lee. Intrusion detection in wireless ad-hoc networks. In Proceedings of the Sixth Annual International Conference on Mobile Computing and Networking, 2000. Kevin Fall and Kannan Varadhan. The ns manual. Huaizhi Li and Zhenliu Chen and Xiangyang Qin and Chengdong Li and Hui Tan Secure Routing in Wired Networks and Wireless Ad Hoc Networks L. Zhou and Z. Haas, Securing ad hoc networks," IEE Network Magazine, vol. 13, November 1999. Dorothy Denning. An intrusion-detection model. IEE Transactions on Software Engineering, 1987. Success Rate: This is the ratio of number of malicious/misbehaving nodes successfully detected by the algorithm and the number of malicious/misbehaving Ad-Hoc Networks |