Towards adaptive intrusion detection in mobile ad ... - Semantic Scholar

4 downloads 513 Views 501KB Size Report
Abstract—. One of the main challenges in building Intrusion Detection Sys- tems (IDSs) for Mobile Ad hoc NETworks (MANETs) is to inte- grate mobility impact ...
Towards Adaptive Intrusion Detection in Mobile Ad Hoc Networks Bo Sun Dept. of Computer Science Lamar University Beaumont, TX 77710 [email protected]

Kui Wu Dept. of Computer Science University of Victoria BC, Canada V8W 3P6 [email protected]

Abstract— One of the main challenges in building Intrusion Detection Systems (IDSs) for Mobile Ad hoc NETworks (MANETs) is to integrate mobility impact and adjust the behavior of IDSs dynamically. In this paper, focusing on the protection of MANET routing protocols, we first demonstrate that nodes’ moving speed, a commonly used parameter in tuning IDS performance, is not an effective metric for the performance measurement of IDSs for MANETs. We then propose a new feature - the link change rate, which can not only act as a unified metric in measuring MANET IDS performance, but also be used to facilitate local MANET IDSs to select normal profiles adaptively. We utilize different mobility models to study the performance of our proposed adaptive mechanisms at different mobility levels. Simulation results show that our proposed adaptive mechanisms are effective and less dependent on mobility models. Detailed analysis of simulation results is also provided.

Udo W. Pooch Dept. of Computer Science Texas A&M University College Station, TX 77843-3112 [email protected]

of different mobility scenarios. Suitable normal profiles and proper threshold can then be selected adaptively by each local IDS agent through periodically measuring its local link change rate. Utilizing a Markov Chain based anomaly detection model as an exemplary MANET IDS, we demonstrate that our proposed adaptive mechanisms are effective under different mobility models. II. BACKGROUND A. Threat Model We use one of the most important active attacks, the routing disruption attack, as the exemplary attack scenario in this paper. 7 3

I. I NTRODUCTION

5

8

Global trustiness has become one of the fundamental assumptions in building MANETs. Nevertheless, this assumption is not always true in reality. The nature of MANETs makes them very vulnerable to malicious attacks. As a result, each node in MANETs should be prepared to work in a distributed environment with no trust to peers. Intrusion prevention techniques can effectively deter attackers. However, they cannot totally eliminate intrusions. Sooner or later, a smart and determined attacker can find some security hole to break into a system no matter how many intrusion prevention measures are deployed. Hence, Intrusion Detection Systems (IDSs), serving as the second line of defense, are indispensable for constructing highly survivable networks. One of the main difficulties in building MANET IDSs is to accommodate mobility impacts. This is especially important because most dynamics in MANETs are caused by mobility. MANET IDSs without properly considering mobility are prone to cause high false positive ratio, rendering the IDSs useless. A common feature among different mobility models is necessary for constructing effective detection engines. In this paper, utilizing different mobility models, we first demonstrate that nodes’ moving speed, a commonly used parameter in measuring the performance of MANETs, is not effective in measuring the performance of MANET IDSs for different applications. We then propose an effective, unified measurement, the link change rate, to capture the common feature IEEE Communications Society Globecom 2004

Falsified RREP 4

1

6

Attacker: 1 Victims: 2, 3, 4, 7, 8 Attacker Objective: 3

2

Fig. 1. An Example of the Routing Disruption Attack.

In Fig. 1, node 1 is the attacker. In order to effectively disrupt the routing logic , it actively sends falsified Routing REPly (RREP) packets into the network. Because of the source routing nature of DSR, the randomly constructed RREP needs to contain a valid path 1 → 5 → 3 to guarantee the delivery of the RREP. There are many ways for the attacker to get this path. For example, node 1 could initiate a route discovery first, and wait for the path contained in the reply message. The attacker could then add a randomly constructed path, for example {2, 7, 9}, and form a RREP {2, 7, 9, 1, 5, 3}. Because of the wireless broadcast nature, there may exist many victims during the unicast of this fake RREP. In this example, the victims include node {2, 4, 7, 8}. B. Markov Chain Based Anomaly Detection in MANETs We have constructed a Markov Chain based anomaly detection algorithm. Detailed descriptions can be found in [9]. The internal structure of the IDS agent is shown in Fig. 2.

3551

0-7803-8794-5/04/$20.00 © 2004 IEEE

C. Speed is Not an Accurate Metric

IDS Agent Intrusion Response

Local Aggregation and Correlation (LACE)

Global Aggregation and Correlation (GACE)

Detection Engine

Detection Engine

Data Collection Module

Data Collection Module

Detection results coming from IDS agents of neighboring gateway nodes and the intrazone nodes in the same zone Detection results sent to IDS agents of neighboring gateway nodes

Audit Data

Fig. 2. Diagram of an IDS agent.

III. IDS B EHAVIOR UNDER D IFFERENT M OBILITY M ODELS A. Different Mobility Models Three mobility models, the Random Waypoint model (RW), the Random Drunken model (RD), and the Obstacle Mobility (OM) Model [7], were simulated. In the RW model, each node randomly selects a destination in the simulated area and a speed from a uniform distribution of specified speeds. The node then travels to its selected destination at the selected speed. After arriving at the destination, it is stationary for a given pause time. After that, the node resumes its movement to a newly selected destination with a newly selected speed. In the RD model, each node moves independently with the same average speed. Each node moves continuously within the region without pausing at any location. It changes direction after every unit of distance. It can provide us with knowledge of IDS performance in an environment where nodes change directions very quickly but links stay relatively stable [10]. The OM model was constructed to model the movement of mobile nodes in terrains that resemble real world topographies. Arbitrarily complex polygonal shapes are used to specify the obstacles (buildings). Voronoi Diagram [1] of the obstacle corners is used as the movement graph. Nodes move along paths that are defined by the edges of the Voronoi diagram between the set of objects. Transmission behavior in the OM model is influenced by the presence of objects. B. Performance Metrics We use the following metrics throughout the simulation. • False positive ratio: It is defined as the percentage of decisions in which normal data are flagged as anomalous. • Detection ratio: It is computed from dividing the total number of correct detections by the total number of victims in the anomalous data. • Mean Time to the First Alarm (MTFA): It is defined over anomalous traces and measures how fast the classifier detects the attack. Given an anomalous trace ξ, if the attack start location is La and our IDS generates its first alarm after scanning the Ld -th symbol, then the M T F A corresponding to ξ normalized by the length (denoted as L) of the locality frame is given by M T F A(ξ) = (Ld − La )/L. When the confidence intervals were calculated, the confidence levels were set to 95%. IEEE Communications Society Globecom 2004

1) False Positive Ratio: From Fig. 3(a), we can see that although the moving speed of the RD model is larger than that of the RW model and the OM model, its false positive ratio is much smaller. This is because given the same moving speed, RD model will not generate as many link breakages as RW model does [10], and also because routing table changes are impacted directly by link changes instead of nodes’ moving speed. 2) Detection Ratio: From Fig. 3(b), we can see that in all three mobility models, detection ratio decreases with the increase of speed. When mobility is low, routing table is relatively stable. Therefore, it is easier for the classifier to identify the abnormal behavior. We also observe that the overall detection ratio of the RD model is higher than that of the RW model and the OM model, even if the nodes’ moving speed is much higher in the RD model. 3) MTFA: From Fig. 3(c), for the RW model and the OM model, M T F A increases with the increase of nodes’ moving speed. We can also see that although the nodes’ moving speed is larger in the RD model, its M T F A is smaller than that of the RW model and the OM model. This again demonstrates that speed is not a good metric in measuring the performance of IDS. IV. A B ETTER M ETRIC Our research motivation is to find a unified metric which is less dependent on mobility models and could be used to adjust MANET IDS performance. Because routing table changes are more directly impacted by link changes, we measure the link change rate of different mobility models and use it as a unified metric. Assume that for a given node, at time t1, its neighbor set is N 1, and at time t2, its neighbor set is N 2. We define link change rate as: (|N 2 − N 1| + |N 1 − N 2|)/|t2 − t1| |N 2−N 1| means the number of new neighbors during the interval (t2 − t1), and |N 1 − N 2| means the number of neighbors that moved away during the interval (t2 − t1). They together represent the number of neighbor changes in (t2 − t1). Link change rate can be locally collected by each node. For a given mobility model and a given mobility level represented by {minimum speed, maximum speed} pair, we compute the average link change rate. Using the computed link change rate, we measure the MANET IDS performance over different mobility models to see if its performance is mainly determined by link change rate. The IDS performance over different mobility models is illustrated in Fig. 4. A. False Positive Ratio From Fig. 4(a), with the increase of link change rate, the false positive ratio increases. Compared to Fig. 3(a), Fig. 4(a) demonstrates that if parameter settings of IDS are based on the link change rate, the performance of IDS will be less dependent on mobility models. Compared to nodes’ moving speed, link

3552

0-7803-8794-5/04/$20.00 © 2004 IEEE

0.4 0.3 0.2

1

0.6

0.8

0.5 0.4

0.6

MTFA

Random Drunken Random Waypoint Obstacle Mobility

0.5

Detection Ratio

False Positive Ratio

0.6

0.4

0.2 Random Waypoint Random Drunken Obstacle Mobility

0.2

0.1 0

0.3

0 0

5

10

15

20 25 30 Speed (m/s)

35

40

45

50

Random Waypoint Random Drunken Obstacle Mobility

0.1 0

0

(a) False Positive Ratio.

5

10

15

20 25 30 Speed (m/s)

35

40

45

50

0

5

10

(b) Detection Ratio.

15

20 25 30 Speed (m/s)

35

40

45

50

(c) MTFA.

Fig. 3. Performance of local IDS under RW model, RD model and OM model when using nodes’ moving speed as a parameter.

0.4 0.3 0.2

1

1

0.8

0.8

0.6

0.6

MTFA

Random Waypoint Random Drunken Obstacle Mobility

0.5

Detection Ratio

False Positive Ratio

0.6

0.4

0

0.4

Random Waypoint Random Drunken Obstacle Mobility

0.2

0.1

0.2

0 0

0.2

0.4 0.6 Link Change Rate

(a) False Positive Ratio.

0.8

1

Random Waypoint Random Drunken Obstacle Mobility

0 0

0.2

0.4 0.6 Link Change Rate

0.8

1

0

0.2

(b) Detection Ratio.

0.4 0.6 Link Change Rate

0.8

1

(c) MTFA.

Fig. 4. Performance of local IDS under RW model and RD model when using link change rate as a parameter.

change rate can be used more accurately to measure routing table changes. A larger link change rate implies a more dynamic environment, which makes it more difficult to differentiate normal and abnormal behavior. Compared to the RW model and the RD model, the use of obstacles and pathways in the OM model has impacts on the performance of IDS. In the OM model, nodes move along paths that are defined by the edges of the Voronoi diagram between the set of objects. This greatly reduces the randomness of path selection in the OM model, which makes it easy for the detection engine to characterize the normal routing behavior accurately. Therefore, the false positive ratio in the OM model does not increase dramatically with the increase of the link change rate, compared to the other two mobility models.

C. MTFA From Fig. 4(c), we can that the MTFA increases with the increase of link change rate. In terms of MTFA, the three models exhibit trivial differences. In comparison with the results in Fig. 3(c), link change rates are more accurate than mobile speed in capturing the dynamics of networks. V. A DAPTIVE IDS A. Adaptive Mechanism

P3 P2 P1 1. Markov Chain 2. Link Change Rate 3. Threshhold

B. Detection Ratio The overall trend for the detection ratio is that with the increase of link change rate, the detection ratio for all three models drops. From Fig. 4(b), we can see that for the same link change rate, the differences of detection ratio among different models do not have big gap. In contrast, for the same moving speed, the results of detection ratio for different mobility models are basically incomparable as shown in Fig. 3(b). We observe that the detection ratio in the OM model decreases quickly with the increase of link change rate. Because of obstacles, it is very likely that victims will not receive the randomly constructed fake RREP packets. Therefore, many victims only experience a very short intrusion time. It is very hard for this type of “partial” victims to detect intrusions, resulting in low detection ratio. IEEE Communications Society Globecom 2004

Detection Engine

3553

Based on LCR recent, select corresponding profiles

Data Collection Module Based on LCR recent , select corresponding codebook to discretize raw data

Link Change Rate

Fig. 5. Adaptive mechanism.

0-7803-8794-5/04/$20.00 © 2004 IEEE

We take the following procedures to construct our adaptive MANET IDS, as illustrated in Fig. 5. •



Procedure Offline_Training_Obstacle_Mobility() Input: 1) periodically calculated link change rate at different mobility levels; 2) training data collected using (min_speed, max_speed) pair (periodically collected PCH). Output: offline computed classifier for Obstacle Mobility model. Begin

Offline training: Using different mobility models, we first collect routing activities at different mobility levels. Following the existing offline training approach to construct the classifier, we compute the detection threshold at different mobility levels. We further compute the average link change rate at each mobility level. Online selection: The data collection module of each IDS agent periodically collects its local link information and computes its link change rate over the recent history, denoted as LCRrecent . Based on LCRrecent , the data preprocess module descretizes the raw data and selects the corresponding codebook whose link change rate has the smallest Euclidean distance to LCRrecent . LCRrecent is also reported to detection engine, which can select the normal profile whose link change rate has the smallest Euclidean distance to LCRrecent . This process is summarized in Fig. 6.

Compute the average link change rate over the recent history for all training data at each mobility level, denoted as lcravg_i; (i = 1, 2, .. N, N is the total number of mobility levels). For each training data at mobility i For each training data item at time t Compute the Euclidean distance between lcravg_i and the corresponding link change rate over the recent history at time t; Select the newly constructed training data whose associated lcravg_i has the smallest Euclidean distance to the corresponding link change rate over the recent history at time t; Put the corresponding training data item to the selected training data set in sequence. END For END For /* We have generated a new set of training data based on lcravg_i */ For each newly constructed training data Use the existent approach to construct classifier at each link change rate level lcravg_i. END For END

Procedure Select_Adaptively() Input: periodically calculated link change rate Output: normal profile adaptive to mobility Begin For each local IDS at time t Compute the link change rate over the recent history, denoted as LCRrecent;

Fig. 7. Pseudocode for constructing classifier offline under the OM model.

VI. S IMULATION S TUDY OF A DAPTIVE IDS S A. Adaptive IDSs under the Random Waypoint model and the Random Drunken model

Compute the Euclidean distance between LCRrecent and each link change rate stored in normal profiles; Select the normal profile whose link change rate has the smallest Euclidean distance to LCRrecent; Use the adaptively selected Markov Chain to calculate the alert signal of recent routing activities. Based on calculated alert signal and adaptively selected alert threshold, decide whether to generate alert or not. END For END

Fig. 6. Pseudocode to adaptively select normal profiles.

Because of obstacles and fixed paths in the OM model, links may have abrupt changes compared to those in the RW model and the RD model. For example, when a node turns around a corner, old links may be blocked and a lot of new links may be found. The link change rate changes abruptly, and a mechanism is needed to accommodate this abrupt change. Therefore, for the OM model, we add a training data preprocess to generate its classifier offline. The main functionality of the training data preprocess is to split the original training data set into a new set of training data, with each set corresponding to one calculated link change rate. The detailed process is illustrated in Fig. 7. Existing research work could be used to help meausring the link change rate. For example, in [13], a link expiration scheme is proposed. IEEE Communications Society Globecom 2004

The performance of the RW model is very similar to that of the RD model when the link change rate is used as the metric. Therefore, we only display the performance of the RW model. From Fig. 8(a), we can see that at the same link change rate, the false positive ratio of adaptive IDS is lower compared to that of IDS not using adaptive mechanism. This phenomenon is especially true at large link change rate. Adaptive mechanisms take into consideration mobility-caused dynamics and can change normal profiles correspondingly, enabling the IDS to suit the environment better. False positives can be reduced correspondingly. As illustrated in Fig. 8(b), detection ratios with and without adaptive mechanisms do not show much difference. Although in theory if the IDS can model the normal behavior accurately by using adaptive mechanisms, it should be able to detect more intrusions. Unfortunately, we find this is not really true for our detection engine. When attacks happen in the network, abnormal routing table changes do not follow any normal profiles. The adaptive mechanism will not enable the abnormal changes caused by the attack to be found in any normal profiles. This is the main reason that adaptive mechanisms are not helpful in improving detection ratio for our detection engine. Because of the similar reason, M T F A with and without adaptive mechanisms does not show much difference, as illustrated in Fig. 8(c). To summarize, the main benefit of the adaptive mechanisms to our detection engine is to lower the false positive ratio, while keeping roughly the detection ratio and M T F A.

3554

0-7803-8794-5/04/$20.00 © 2004 IEEE

No Adaptive Mechanism Adaptive Mechanism Detection Ratio

False Positive Ratio

0.5 0.4 0.3 0.2

1

1

0.8

0.8

0.6

0.6

MTFA

0.6

0.4 0.2

0.1 0

0.4 0.2

No Adaptive Mechanism Adaptive Mechanism

0 0

0.2

0.4

0.6

0.8

1

No Adaptive Mechanism Adaptive Mechanism

0 0

0.2

Link Change Rate

0.4

0.6

0.8

1

0

0.2

0.4

Link Change Rate

(a) False Positive Ratio.

0.6

0.8

1

Link Change Rate

(b) Detection Ratio.

(c) MTFA.

Fig. 8. Performance of adaptive local IDS.

0.5 0.4 0.3 0.2

1

1

0.8

0.8

0.6

0.6

MTFA

No Adaptive Mechanism Adaptive Mechanism Detection Ratio

False Positive Ratio

0.6

0.4 0.2

0.1 0

0.4 0.2

No Adaptive Mechanism Adaptive Mechanism

0 0

0.2

0.4

0.6

0.8

1

No Adaptive Mechanism Adaptive Mechanism

0 0

Link Change Rate

0.2

0.4

0.6

0.8

1

0

Link Change Rate

(a) False Positive Ratio.

0.2

0.4

0.6

0.8

1

Link Change Rate

(b) Detection Ratio.

(c) MTFA.

Fig. 9. Performance of adaptive local IDS for obstacle mobility.

B. Adaptive IDS under the Obstacle Mobility model As shown in Fig. 4, the OM model behaves differently at high link change rate. From the following performance results, however, the same conclusion that adaptive mechanisms can reduce false positive ratio still holds. We can see from Fig. 9(a) that for the OM model, the false positive ratio of adaptive mechanisms is lower than that of nonadaptive mechanism. Adaptive mechanisms integrate mobilitycaused dynamics and can adjust the normal profiles correspondingly, resulting in lower false positive ratio. We can also see from Fig. 9(b) and Fig. 9(c) that for the OM model, the detection ratio and MTFA of the adaptive mechanisms and the non-adaptive mechanism do not show much difference. This again illustrates that the main advantage of the adaptive mechanisms is to decrease the false positive ratio, while keeping roughly the same detection ratio and MTFA. VII. C ONCLUSION In this paper, we investigate the impact of mobility models on the performance of MANET IDSs. Utilizing different mobility models, we propose a unified measurement - link change rate to capture the impact of mobility on IDS engines. We propose how to integrate adaptive mechanisms into the construction of local MANET IDSs. Using the routing disruption attack as the threat model, we have carried out extensive simulation to demonstrate the effectiveness of our adaptive mechanisms.

[2] J. Broch, D. Johnson, and D. Maltz, The Dynamic Source Routing Protocol for Mobile Ad hoc Networks, http://www.ietf.org/internet-drafts/draft-ietfmanet-dsr-07.txt, Feb. 2002, IETF Internet Draft. [3] S. Capkun, J. P. Hubaux and L. Buttyn, “Mobility Helps Security in Ad Hoc Networks,” in Proc. of the 4th ACM Symp. on Mobile Ad Hoc Networking and Computing (MobiHOC’03), Annapolis, MD, June, 2003. [4] H. Debar, M. Dacier, and A. Wespi, “A Revised Taxonomy for IntrusionDetection Systems,” Annales des Telecomm., vol. 55, 2000, pp. 361 - 378. [5] Y. Hu, A. Perrig, and D.B. Johnson, “Packet Leashes: A Defense against Wormhole Attacks in Wireless Ad Hoc Networks,” Proc. of the 22nd Annual Joint Conf. of the IEEE Computer and Communications Societies, vol. 3, San Francisco, CA, April 2003, pp. 1976-1986. [6] Y. Huang, W. Fan, W. Lee, and P. S. Yu, “Cross-Feature Analysis for Detecting Ad-hoc Routing Anomalies,” Proc. of the 23rd Int’l Conf. on Distributed Computing Systems, Providence, RI, May 2003, pp. 478 - 487. [7] A. Jardosh, E. M. BeldingRoyer, K. C. Almeroth, and S. Suri, “Towards Realistic Mobility Models For Mobile Ad hoc Networks,” the 9th Annual Int’l Conf. on Mobile Computing and Networking, San Diego, CA, 2003, pp. 217-229. [8] S. Marti, T. Giuli, K. Lai, and M. Baker, “Mitigating Routing Misbehavior in Mobile Ad Hoc Networks,” the 6th Annual Int’l Conf. on Mobile Computing and Networking, Boston, MA, Aug. 2000, pp. 255 - 265. [9] B. Sun, K. Wu, and U. Pooch, “Routing Anomaly Detection in Mobile Ad Hoc Networks,” 12th Int’l Conf. on Computer Communications and Networks (ICCCN’03), Dallas, TX, Oct. 2003, pp. 25-31. [10] K. Wu, and J. Harms, “Performance Study of Proactive Flow Handoff for Mobile Ad Hoc Networks,” to appear in ACM/Kluwer Wireless Networks Journal (ACM WINET). [11] Y. Zhang and W. Lee, “Intrusion Detection in Wireless Ad Hoc Networks,” the 6th Annual Int’l Conf. on Mobile Computing and Networking, Boston, MA, Aug., 2000, pp. 275-283. [12] Y. Zhang, W. Lee, and Y.A. Huang, “Intrusion Detection Techniques for Wireless Ad Hoc Networks,” ACM/Kluwer Wireless Networks Journal, Vol. 9, No. 5, Sept. 2003, pp. 545-556. [13] W. Su, S.J. Lee, and M. Gerla, “Mobility Prediction and Routing in Ad hoc Wireless Networks,” International Journal of Network Management , Vol. 11, Issue 1, Jan. - Feb. 2001, pp. 3-30.

R EFERENCES [1] M. de Berg, M. van Kreveld, M. Overmars and O. Schwarzkopf, “Computational Geometry: Algorithms and Applications,” Springer Verlag, 2000. IEEE Communications Society Globecom 2004

3555

0-7803-8794-5/04/$20.00 © 2004 IEEE