Amin Hassanzadeh

On the optimality of cooperative intrusion detection for resource constrained wireless networks

The problem of cooperative intrusion detection in battery-powered wireless mesh and sensor networks is challenging, primarily because of the limited resources available to participating nodes. Although the problem has received some attention from the research community, little is known about the tradeoffs among different objectives, such as high network performance, low power consumption, low delay in information collection and high security effectiveness. This article proposes, to the best of our knowledge for the first time, cooperative intrusion detection functions that take into account multiple objectives simultaneously. We formulate the problem of identifying the type of intrusion detection function each node runs, as a multi-objective optimization problem, and propose solutions based on genetic algorithms. Through extensive simulations we demonstrate that our solutions are scalable to large networks, and are characterized by a small variance in the normalized fitness value of individual/single objectives and by a small attack detection/reporting delay. In a real implementation/evaluation we demonstrate that our cooperative intrusion detection system achieves a higher detection rate (93%) than state of art solutions.

Towards Optimal Monitoring in Cooperative IDS for Resource Constrained Wireless Networks

The problem of cooperative intrusion detection in resource constrained wireless networks (e.g., adhoc, sensor) is challenging, primarily because of the limited resources available to participating nodes. Although the problem has received some attention from the research community, little is known about the tradeoffs among different objectives, e.g. network performance, power consumption, delay in information being collected and security effectiveness. This paper proposes, to the best of our knowledge for the first time, to distribute cooperative intrusion detection functions that take into account, simultaneously, multiple objectives. We formulate the problem of identifying the type of intrusion detection each node runs as a multi-objective optimization problem and motivate/develop a genetic algorithm to solve it. Through extensive simulations we demonstrate that our solution is characterized by: a small variance in the normalized fitness values of individual/single objectives; and a smaller attack detection and reporting delay than state of art solutions. In a real implementation/evaluation of our cooperative intrusion detection system, we demonstrate that it achieves a higher detection rate (93%) than state of art solutions (60%-73%).

Traffic-and-resource-aware intrusion detection in wireless mesh networks

As the interest in Wireless Mesh Networks (WMN), as an infrastructureless wireless network, grows, security issues, especially intrusion detection, become of paramount importance. The diversity in hardware along with a variety of WMN applications, have resulted in WMN with different network characteristics (e.g., resource levels, system and security models, etc.). Consequently, different intrusion detection mechanisms have been proposed by the research community. Recently, the community has proposed several monitoring techniques for intrusion detection where each considers different assumptions and presents a different problem formulation for optimal monitoring. This article proposes a taxonomy that categorizes existing solutions in this research area and identifies the similarities and differences in their optimal monitoring problem formulations. We then concentrate on two classes of monitoring techniques for intrusion detection in WMN: Traffic Agnostic and Resourceful and Traffic Aware and Resourceful and present centralized and distributed algorithms for solving optimal monitoring problem in these networks. Through extensive simulations and a real implementation, we demonstrate the effects of different network characteristics on the problem formulation and consequently the performance (e.g., intrusion detection rate and resource consumption) of proposed solutions for optimal monitoring in WMN.

If-cube3: An Improved Fault-Tolerant Routing Algorithm to achieve less latency in NoCs

Fault tolerant routing algorithms, are a key concern in on-chip communication. This paper examines fault tolerant communication algorithms for use in Network-on-Chip (NoC). We propose an improved wormhole-switched routing algorithm in 2-dimentional mesh based on f-cube3 [22] algorithm to decrease message latency. The existing key concept is using numbers of virtual channels (VC) via a physical link. This paper proposes some improvements to make use of VCs while the numbers of them are fixed. We show that when a message is not blocked by fault, all VCs could be used; f-cube3, however, uses only one of the VCs. Furthermore, the strength of the improved algorithm is demonstrated by comparing results of simulations in both f-cube3 and the improved algorithm if-cube3.

Efficient flooding in Wireless Sensor Networks secured with neighborhood keys

Network flooding is a fundamental communication primitive for Wireless Sensor Networks (WSN). Flooding is used for disseminating code updates and parameter changes, affecting the operation of all nodes in the network. When flooding occurs each node, typically, broadcasts the flooding packet once. The costs for flooding, however, can become significant if neighborhood keys are used for communication (as proposed in recent research on secure localization and key distribution [1]), since, instead of a single broadcast, a node is required to perform several unicast transmissions. In this paper we address the problem of minimizing the number of unicast transmissions required for ensuring 100% network coverage for flooding in WSN secured with neighborhood keys. We show that the problem is NP-hard and propose an approximation algorithm for solving it. Through simulations, we demonstrate that our algorithm ensures 100% network coverage for flooding, while requiring, surprisingly, as low as 0.75 packet transmissions per node.

Energy efficient monitoring for intrusion detection in battery-powered wireless mesh networks

Wireless Mesh Networks (WMN) are easy-to-deploy, low cost solutions for providing networking and internet services in environments with no network infrastructure, e.g., disaster areas and battlefields. Since electric power is not readily available in such environments batterypowered mesh routers, operating in an energy efficient manner, are required. To the best of our knowledge, the impact of energy efficient solutions, e.g., involving duty-cycling, on WMN intrusion detection systems, which require continuous monitoring, remains an open research problem. In this paper we propose that carefully chosen monitoring mesh nodes ensure continuous and complete detection coverage, while allowing non-monitoring mesh nodes to save energy through duty-cycling. We formulate the monitoring node selection problem as an optimization problem and propose distributed and centralized solutions for it, with different tradeoffs. Through extensive simulations and a proof-of-concept hardware/software implementation we demonstrate that our solutions extend the WMN lifetime by 8%, while ensuring, at the minimum, a 97% intrusion detection rate.

PRIDE: Practical Intrusion Detection in Resource Constrained Wireless Mesh Networks

As interest in wireless mesh networks grows, security challenges, e.g., intrusion detection, become of paramount importance. Traditional solutions for intrusion detection assign full IDS responsibilities to a few selected nodes. Recent results, however, have shown that a mesh router cannot reliably perform full IDS functions because of limited resources (i.e., processing power and memory). Cooperative IDS solutions, targeting resource constrained wireless networks impose high communication overhead and detection latency. To address these challenges, we propose PRIDE (PRactical Intrusion DEtection in resource constrained wireless mesh networks), a non-cooperative real-time intrusion detection scheme that optimally distributes IDS functions to nodes along traffic paths, such that detection rate is maximized, while resource consumption is below a given threshold. We formulate the optimal IDS function distribution as an integer linear program and propose algorithms for solving it accurately and fast (i.e., practical). We evaluate the performance of our proposed solution in a real-world, department-wide, mesh network.

A data correlation method for anomaly detection systems using regression relations

Normal profiles have specific properties which would be changed when an attack occurs. The main property we have considered for each behavior is the correlation between the parameters of it. We compute a correlation matrix for normal sessions in the training phase. Then we select effective security parameters for our detection engine using an equivalent class with a graphical illustration namely Correlation Relation Graph (CRG). These extracted parameters among all parameters of each normal behavior have a relation with each other which could be computed by regression relations. Each behavior has some pairs of selected parameters including the independent parameter and the dependent one. As an inline detection process, we look at the value of selected parameters of each current session and put them into their computed regression relation. If the computed value of the dependent parameter of each pair has a value greater then what we compute by their regression relation, it will be considered as a deviation. Number of deviations per session and the combination of them is used to label a session as normal or attack. The results show that our proposed method has suitable detection rate and false alarm.

RAPID: Traffic-agnostic intrusion detection for resource-constrained wireless mesh networks

Abstract Due to the recent increased interest in wireless mesh networks (WMN), their security challenges have become of paramount importance. An important security mechanism for WMN, intrusion detection, has received considerable attention from the research community. Recent results show that traditional monitoring mechanisms are not applicable to real-world WMN due to their constrained resources (memory and processing power), which result in high false negative rates since only a few IDS functions can be activated on monitoring nodes. Cooperative solutions, on the other hand, have high communication overhead and detection delay when the traffic load is high. A practical traffic-aware IDS solution was recently proposed for resource-constrained WMN, however, traffic-awareness might not be feasible for some WMN applications. This article proposes a traffic-agnostic IDS solution that uses a link-coverage approach to monitor both local and backbone WMN traffic. Using real-world experiments and extensive simulations, we show that our proposed IDS solutions outperform traffic-aware IDS solutions while incurring lower computation and communication overhead.

On the Attack-and-Fault Tolerance of Intrusion Detection Systems in Wireless Mesh Networks

Intrusion detection in Wireless Mesh Networks WMN has recently emerged as an important research area. The diversity in WMN hardware and applications has generated extremely diverse network types, with diverse resource levels and system and threat models. Consequently, a variety of intrusion detection systems IDS have been proposed by the research community, each applicable to a specific type of WMN. Although the design and implementation of specific intrusion detection mechanisms have received considerable attention, little effort has been dedicated to the attack-and-fault tolerance of IDS themselves. In this paper we propose a taxonomy that categorizes state-of-the-art IDS solutions in WMN and we investigate the attack-and-fault tolerance of IDS in this taxonomy. We first survey a series of administrative mechanisms for attack-and-fault tolerant AFT IDS design. Then we propose modified designs for state-of-the-art IDS solutions that are AFT. Finally, through extensive simulations, we evaluate and compare AFT designed IDS with their original designs, with respect to the IDS performance and costs.