Dan Sterne

Intrusion Detection System Resiliency to Byzantine Attacks: The Case Study of Wormholes in OLSR

In this paper we extend the work presented in [1], [2] by quantifying the effects of in-band wormhole attacks on Intrusion Detection Systems. More specifically, we propose a mathematical framework for obtaining performance bounds of Byzantine attackers and the Intrusion Detection System (IDS) in terms of detection delay. We formulate the problem of distributed collaborative defense against coordinated attacks in MANET as a dynamic game problem. In our formulation we have on the one hand a group of attackers that observe what is going on in the network and coordinate their attack in an adaptive manner. On the other side, we have a group of defending nodes (the IDS nodes) that collaboratively observe the network and coordinate their actions against the attackers. Using extensions of the game theoretic framework of [3] we provide a mathematical framework for efficient identification of the worst attacks and damages that the attackers can achieve, as well as the best response of the defenders. This approach leads to quantifying resiliency of the routing-attack IDS with respect to Byzantine attacks.

A stochastic approximation approach for improving intrusion detection data fusion structures

A variety of attacks on MANET routing, forwarding, and infrastructure protocols can only be detected using distributed cooperative algorithms. One promising strategy is to organize cooperative intrusion detection activities as a multiple-level intrusion detection (ID) hierarchy in which each node reports intrusion detection observations to its parent. This enables detection decisions to be based on aggregated data that has been gathered and consolidated from neighborhoods and larger network regions efficiently. A key challenge is the selection and maintenance of a scalable and robust hierarchy that optimizes detection performance (e.g., low latency, continuous coverage) while incurring minimal cost (e.g., bandwidth consumption). Existing approaches to constructing hierarchies in MANETs based on simple heuristics lack flexibility and cannot simultaneously address diverse performance and cost requirements. Moreover, mobility can produce constant large scale changes in the hierarchy that can degrade performance and increase cost. The main contributions of this paper are to: (a) identify ID structure design requirements and formulate them as objective functions and constraints, (b) adapt a multi-objective optimization framework to the formation of ID structures and, (c) provide indicative results concerning the quality of these structures with respect to the ID design requirements.

Intrusion detection of in-band wormholes in MANETs using advanced statistical methods

Due to the dynamics and mobility of mobile ad hoc networks (MANETs), intrusion detection techniques in MANETs must be adaptive. In this work, we propose detection schemes that are suitable to detect in-band wormhole attacks. The first detection scheme uses the Sequential Probability Ratio Test (SPRT). The SPRT has been proven to be an optimal detection test when the probability distributions of both normal and abnormal behaviors are given. Furthermore, we introduce non-parametric methods, which require no training and are more adaptive to mobile scenarios. The proposed detection schemes are implemented and evaluated using a 48-node testbed and a mobile ad-hoc network emulator at the Army Research Lab. The performance and detection accuracy of various schemes are compared, especially in the presence of congestion. We provide tradeoffs analyses among detection latency and probabilities of false alarms and missed detection.

Creating and Maintaining a Good Intrusion Detection Hierarchy in Dynamic Ad Hoc Networks

Many insider attacks, such as certain forms of packet dropping, malicious routing updates, and wormholes, can only be detected using distributed and cooperative algorithms. One promising approach for applying these algorithms is using an intrusion detection (ID) hierarchy enabling data aggregation and local decision making whenever possible. A key challenge to this problem is the selection and maintenance of a scalable and robust hierarchy optimizing detection performance (e.g., latency, coverage, and false alarm rate) while incurring minimal cost (e.g., bandwidth and processing). Existing approaches (i.e. flooding for forming a Breadth First Search Tree) to constructing such a hierarchy are simple and distributed; however, their performance and cost can be undesirable. Moreover, mobility can produce constant large scale changes in the hierarchy that degrade performance and increase cost. The main contributions of this paper are to: a) model the performance and costs of ID hierarchies and represent them in formal objective functions and constraints, b) modify an existing versatile, multi-objective hierarchy generation and maintenance tool to create trees, c) give simulation results on the quality and stability of ID hierarchies in a 100-node mobile network

Quantifying resiliency and detection latency of intrusion detection structures

A network intrusion detection (ID) system detects malicious behavior by analyzing network traffic. Malicious behavior may target the disruption of communications, infrastructure services, and applications. A number of ID techniques proposed for dynamic wireless networks (e.g., sensor, ad-hoc and mobile ad-hoc networks) are based on the creation of an overlay hierarchy or other structure to organize the collection and processing of ID data. The particular structure chosen may significantly impact the ID systems performance with respect to network overhead, responsiveness, scalability, detection latency, resiliency to failures, and other factors. In this paper, we propose the formal definition and quantification of resiliency and detection latency. Specifically, we introduce analytical expressions that map ID structures to the metric space of real numbers. We define this mapping for a) various types of tree structures that have been proposed previously for dynamic wireless systems and b) a hypercube structure that presents promising resiliency characteristics. This analysis reveals important tradeoffs among the various ID structures under consideration.

Distributed active maintenance for intrusion detection structures

Intrusion detection (ID) effectiveness (low latency, low overhead, high accuracy) depends also on the collection of the corresponding data. In this paper we introduce an active maintenance mechanism that is distributed utilizing one hop information. This mechanism focuses on the maintenance of optimally formed tree ID structures, utilized for the collection and processing of ID data. The maintenance is called active, as opposed to the existing passive maintenance mechanisms, which are triggered only when the feasibility (e.g. connectivity) of the ID structures is violated, because continuously the participating nodes monitor their neighborhood characteristics that are related to the ID structures design objectives and take restructuring decisions so that the quality (design objectives) of the ID structures is maintained. We evaluate and present the effectiveness of active maintenance mechanism by implementing it in ARLs Wireless Emulation Lab (WEL) Testbed and comparing its optimality with respect to the optimality of tree ID structures formed utilizing a previously proposed global optimization mechanism based on simulated annealing (SA).