A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks
description
Transcript of A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks
![Page 1: A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks](https://reader036.fdocuments.us/reader036/viewer/2022062409/56814fde550346895dbda758/html5/thumbnails/1.jpg)
TRUST, Berkeley Meetings, March 19-21, 2007
A Distributed Intrusion Detection System for Resource-Constrained
Devices in Ad Hoc Networks
Adrian P. Lauf, Richard A. Peters and William H. Robinson
April 2-3, 2008
![Page 2: A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks](https://reader036.fdocuments.us/reader036/viewer/2022062409/56814fde550346895dbda758/html5/thumbnails/2.jpg)
TRUST, Berkeley Meetings, March 19-21, 2007
Outline
Motivation
Methods
Results
Application to SCADA
"A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson 2April 2-3, 2008
![Page 3: A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks](https://reader036.fdocuments.us/reader036/viewer/2022062409/56814fde550346895dbda758/html5/thumbnails/3.jpg)
TRUST, Berkeley Meetings, March 19-21, 2007
Outline
Motivation
Methods
Results
Application to SCADA
"A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson 3April 2-3, 2008
![Page 4: A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks](https://reader036.fdocuments.us/reader036/viewer/2022062409/56814fde550346895dbda758/html5/thumbnails/4.jpg)
TRUST, Berkeley Meetings, March 19-21, 2007
What is HybrIDS?
Hybrid, Distributed, Embedd-able IDS: (HybrIDS)
Identify deviant activity on ad-hoc network
Distributed implementation strategy
Utilize multiple detection strategies
– Zero-knowledge phase– Calibration-based phase
Function on resource-constrained devices
Integrate with SCADA (Supervisory Control And Data Acquisition) networks
"A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson 4April 2-3, 2008
![Page 5: A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks](https://reader036.fdocuments.us/reader036/viewer/2022062409/56814fde550346895dbda758/html5/thumbnails/5.jpg)
TRUST, Berkeley Meetings, March 19-21, 2007
Why HybrIDS for SCADA?
SCADA implementations are becoming increasingly less localized
Wireless and IP-based networks present a significant security vulnerability
Sensor/Actuator nodes have no inherent security built in
Designed with scalability in mind
"A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson 5April 2-3, 2008
![Page 6: A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks](https://reader036.fdocuments.us/reader036/viewer/2022062409/56814fde550346895dbda758/html5/thumbnails/6.jpg)
TRUST, Berkeley Meetings, March 19-21, 2007
Why is HybrIDS different?
It is decentralized– Reduce dependence on a single system– Reduce power consumption
Reduce compute-intensive operations
– Allows for group consensus decisions Each unit maintains a model of the world
– Reduces chance of tampering with a centralized system It is resource constrained
– Runs well on embedded Linux platforms It is portable
– Uses abstraction to eliminate context exclusivity– Coded in Java for enhanced portability
It is adaptable– HybrIDS can abstract many ad-hoc network scenarios:
Autonomous aircraft networks and avionic protocols (ADS-B) Swarm-based microrobotics Self-contained sensor nodes
"A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson 6April 2-3, 2008
![Page 7: A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks](https://reader036.fdocuments.us/reader036/viewer/2022062409/56814fde550346895dbda758/html5/thumbnails/7.jpg)
TRUST, Berkeley Meetings, March 19-21, 2007
What can HybrIDS do?
Identify single or multiple anomalies on an ad-hoc network
Adaptable to various attack configurations– DOS– Timed attacks– Command injection– Network disruption
Locate deviant nodes with zero prior knowledge of system architecture
Adapt to system changes in a scalable manner
"A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson 7April 2-3, 2008
![Page 8: A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks](https://reader036.fdocuments.us/reader036/viewer/2022062409/56814fde550346895dbda758/html5/thumbnails/8.jpg)
TRUST, Berkeley Meetings, March 19-21, 2007
Outline
Motivation
Methods
Results
Application to SCADA
"A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson 8April 2-3, 2008
![Page 9: A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks](https://reader036.fdocuments.us/reader036/viewer/2022062409/56814fde550346895dbda758/html5/thumbnails/9.jpg)
TRUST, Berkeley Meetings, March 19-21, 2007
Simplifying by Abstraction
Node interactions classified by labels
Interaction histories recorded– Each node maintains action
histories from its point of view Abstraction permits context
independence– Applicable to any system using
predetermined actions
Action 1
Action n-1
Action n
Node 1 1 30 25
Node 2 2 32 20
Node 3 1 50 22
Node 4 12 2 80
April 2-3, 2008
![Page 10: A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks](https://reader036.fdocuments.us/reader036/viewer/2022062409/56814fde550346895dbda758/html5/thumbnails/10.jpg)
TRUST, Berkeley Meetings, March 19-21, 2007
Why a hybrid approach?
Phase 1 requires no training data
Can isolate a single anomaly
Phase 2 requires training data
Can detect multiple anomalies
More flexible to system changes
Phase 1Phase 1 Phase 2Phase 2
Time Progression
April 2-3, 2008
![Page 11: A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks](https://reader036.fdocuments.us/reader036/viewer/2022062409/56814fde550346895dbda758/html5/thumbnails/11.jpg)
TRUST, Berkeley Meetings, March 19-21, 2007
Detection Method: Maxima Analysis: Setup
Histograms formed for each connected node
– Node A will track B, C, and D.
Average system behavior obtained by averaging across observed nodes
Bins correspond to action labels
Data must be normalized to a distribution
– E.g. Gaussian, Chi2 Σ/(n-1)
Labels
.
.
.
.
.
Nod
es
Avg. behavioral PDF for system
April 2-3, 2008
![Page 12: A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks](https://reader036.fdocuments.us/reader036/viewer/2022062409/56814fde550346895dbda758/html5/thumbnails/12.jpg)
TRUST, Berkeley Meetings, March 19-21, 2007
Maxima Detection Algorithm
Resultant vector yields approximate PDF
Find global maximum, exclude it
Identify, mark local maxima
Local maximum yields likely intrusion-motivated behaviors
Reverse-map this label to node with most frequent occurrence
12April 2-3, 2008
![Page 13: A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks](https://reader036.fdocuments.us/reader036/viewer/2022062409/56814fde550346895dbda758/html5/thumbnails/13.jpg)
TRUST, Berkeley Meetings, March 19-21, 2007
Detection Method: Cross-correlation
13
Labels
.
.
.
.
.
Nod
es
Σ/(
n-1)
13
= Score
Average PDF
April 2-3, 2008
![Page 14: A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks](https://reader036.fdocuments.us/reader036/viewer/2022062409/56814fde550346895dbda758/html5/thumbnails/14.jpg)
TRUST, Berkeley Meetings, March 19-21, 2007
Score Analysis
Average score is computed
Each score is compared to the average
Deviance determined by a threshold
Threshold S
etting
Threshold Bounds Node Number
Sco
re
Mean Score LineSuspected Deviant Node
April 2-3, 2008
![Page 15: A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks](https://reader036.fdocuments.us/reader036/viewer/2022062409/56814fde550346895dbda758/html5/thumbnails/15.jpg)
TRUST, Berkeley Meetings, March 19-21, 2007
Threshold Requirements
Threshold varies for each scenario– Representative of a percentage deviation required
for suspicion of a node
Variability of thresholds is a weakness of CCIDS
Can cause generation of false positives– Reduced by selecting proper threshold– Minimal baseline threshold is possible – system
may never converge
April 2-3, 2008
![Page 16: A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks](https://reader036.fdocuments.us/reader036/viewer/2022062409/56814fde550346895dbda758/html5/thumbnails/16.jpg)
TRUST, Berkeley Meetings, March 19-21, 2007
Required Thresholds for Proper Detection (CCIDS)
Deviant node pervasion yields linear change in threshold
Number of nodes has negligible impact on threshold requirements
0.2 represents 100% deviation in this figure
– Detects only nodes that vary significantly
0.02 represents a 10% deviation
– More sensitive to smaller node deviations
April 2-3, 2008
![Page 17: A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks](https://reader036.fdocuments.us/reader036/viewer/2022062409/56814fde550346895dbda758/html5/thumbnails/17.jpg)
TRUST, Berkeley Meetings, March 19-21, 2007
Selecting Detection Phases
HybridState objectdetermines if transitionpoint has been reached
If one of the results from CCIDS matches a suspectednode from MDS, a matchis considered found
April 2-3, 2008
![Page 18: A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks](https://reader036.fdocuments.us/reader036/viewer/2022062409/56814fde550346895dbda758/html5/thumbnails/18.jpg)
TRUST, Berkeley Meetings, March 19-21, 2007
Transitioning between phases
Increasing the deviant node pervasion requires more tuning cycles
Threshold adjusted once per tuning cycle
Figure represents an average for all node sizes– # transition cycles is
independent of node cluster size
April 2-3, 2008
![Page 19: A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks](https://reader036.fdocuments.us/reader036/viewer/2022062409/56814fde550346895dbda758/html5/thumbnails/19.jpg)
TRUST, Berkeley Meetings, March 19-21, 2007
HybrIDS Implementation
Implemented in Java 5 (1.5)– Introduces Code Portability
ARM9 development board target 2.73 KB memory footprint for a
35-agent system with 10 behaviors
– MDS and CCIDS use a shared data structure
Storage footprint less than 46 KB
Flexible interface implementation
– TCP/UDP for network interface– Disk-based access for
simulation– RS-232/Serial interface
possible
April 2-3, 2008
![Page 20: A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks](https://reader036.fdocuments.us/reader036/viewer/2022062409/56814fde550346895dbda758/html5/thumbnails/20.jpg)
TRUST, Berkeley Meetings, March 19-21, 2007
Outline
Motivation
Methods
Results
Application to SCADA
"A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson 20April 2-3, 2008
![Page 21: A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks](https://reader036.fdocuments.us/reader036/viewer/2022062409/56814fde550346895dbda758/html5/thumbnails/21.jpg)
TRUST, Berkeley Meetings, March 19-21, 2007
Analysis of HybrIDS Performance
HybrIDS can reliably detect deviant nodes upto 22% pervasion
25% pervasion and up removes element of determinacy
Scalability by percentage pervasion
Number of nodes in cluster does not affect scalability concerns
Graph includes total time – MDS, transition and CCIDS cycles
April 2-3, 2008
![Page 22: A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks](https://reader036.fdocuments.us/reader036/viewer/2022062409/56814fde550346895dbda758/html5/thumbnails/22.jpg)
TRUST, Berkeley Meetings, March 19-21, 2007
Operational Footprint
HybrIDS with its JVM uses 5MB of application memory (Linux 2.6.22)
Maximum power requirement is 5 watts + idle power of ARM9 platform
"A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson 22April 2-3, 2008
![Page 23: A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks](https://reader036.fdocuments.us/reader036/viewer/2022062409/56814fde550346895dbda758/html5/thumbnails/23.jpg)
TRUST, Berkeley Meetings, March 19-21, 2007
Outline
Motivation
Methods
Results
Application to SCADA
"A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson 23April 2-3, 2008
![Page 24: A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks](https://reader036.fdocuments.us/reader036/viewer/2022062409/56814fde550346895dbda758/html5/thumbnails/24.jpg)
TRUST, Berkeley Meetings, March 19-21, 2007
HybrIDS and SCADA
HybrIDS is optimized for homogeneous ad-hoc networks
While heterogenous, SCADA contains homogeneous components that can exploit HybrIDS’s potential
HybrIDS can operate on RTU nodes within SCADA infrastructure
"A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson 24April 2-3, 2008
![Page 25: A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks](https://reader036.fdocuments.us/reader036/viewer/2022062409/56814fde550346895dbda758/html5/thumbnails/25.jpg)
TRUST, Berkeley Meetings, March 19-21, 2007
HybrIDS and SCADA (cont’d)
SCADA is migrating increasingly to vulnerable network infrastructures– WAN– WLAN
HybrIDS can be used to detect attack methods on these networks– DDOS and packet drops alter interaction request
frequencies– Targeting of a specific node is easily detected by
multiple HybrIDS-enabled nodes
"A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson 25April 2-3, 2008
![Page 26: A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks](https://reader036.fdocuments.us/reader036/viewer/2022062409/56814fde550346895dbda758/html5/thumbnails/26.jpg)
TRUST, Berkeley Meetings, March 19-21, 2007
Conclusion
HybrIDS provides a flexible IDS framework for ad-hoc networks
Distributed nature allows for seamless integration and reliability
Can easily integrate into existing frameworks, such as SCADA
Offers scalable performance for multiple anomaly detection
"A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks", Adrian P. Lauf, Richard A. Peters and William H. Robinson 26April 2-3, 2008
ARM9 Development Platform