Evaluating the usefulness of watchdogs for intrusion

detection in VANETS

Jorge Hortelano, Juan Carlos Ruiz, Pietro

Manzoni

Presented by:Surya Siddharth PemmarajuSri Rajarsh VytlaRahul Kota

What is a VANET?

• VANET – Vehicular Ad-Hoc Network

• It uses moving vehicles such as Cars and nearby fixed equipment as nodes in a MANET

• Primary Goal – Road Safety (minimizing accidents)

• Secondary Goals – Real-time traffic congestion and routing information, mobile infotainment etc.

Types of communications in a VANET?

Types of Routing Protocols in a VANET?

Different Routing Protocols:

• Traditional MANET protocols such as DSR, AODV etc. These can be used as VANET is a special case of MANET in which nodes have Higher speed Distinguished movement (Most of the nodes follow a similar path)• Location Based Routing – GPSR ( Greedy Perimeter Stateless Routing ) It figures out which node is its closet neighbor. Uses Greedy algorithm for calculating the most efficient path

Looks Safe? But, What if a node is malicious?

Malicious nodes – Manipulating the sensitive information exchanged between nodes. Replay attacks, modification of routing information The whole topology fails.

These routing protocols are robust against any topology changes.

How to Overcome?

Intrusion Detection System (IDS):

Monitor the activity of nodes in network to detect misbehaviors.Basic Brick of IDS Watchdog

Watchdog It is a component of system which detects selfish nodes and malicious attackers But how does it detect?

What is Watchdog?

When a node forwards a packet, it verifies whether the next node in the route also forwards it or not by listening promiscuously to the next node’s transmissions.

Is every system perfect?

No, almost every system is vulnerable. But a vulnerability becomes a Security hazard only when it is exploited by an adversary.

Ad-Hoc Network Vulnerabilities:

Threats are caused due to: 1. External Attackers (Inject erroneous routing information)2. Compromised Nodes (Misuse routing information to other nodes)

Routing Disruption Attack:These attacks are considered as instances of denial-of-service attacks(DoS), since they Compromise the routing of the packet.

Types of Routing Disruption attacks:1. Black Hole attack (Drops all packets)2. Grey Hole attack (Selectively drops packets)3. Selfish Node

Watchdogs and their importance for MANET IDSs

MAIN IDEA: As a node can listen packets traversing to its neighborhood it can monitor their

activity by overhearing all next nodes forwarding transmissions. The watchdog can deduce if nodes are acting as selfish, black or grey hole routers. Independent of routing protocols used and can detect attacks in ad hoc network.

Previous Implementations:

each node use the information provided by watchdogs . to rate neighbors and classify them as fresh member, unstable, malicious.

Can extend the detection capabilities provided by watchdog with public key encryption and signatures.

Watchdogs form core of the most important types of IDSs solutions.

False positives and false negatives are not considered in the evaluation of watchdog.

DESIGN APPROACH

The goal is to supervise the activity of node’s neighbors while providing the portable solution.

DETECTION APPROACH: Neighbor trust level = received packets for forwarding/packets forwarded. Ideal neighbor trust level is 1 (100%), difficult to achieve due to collision and signal

noise.

MINIMIZING FALSE WATCHDOG DETECTIONS: Difficult to differentiate collision or attack – false positive. Tolerance threshold – defines a certain packet loss tolerance. Increase in detection time leads to false negatives where intermittent and temporal

attacks may remain undetected. Devaluation techniques which decrease the weight of oldest received packets along

the time are used.

IMPLEMENTATION TRADEOFFS

Implementation done in C.

The watchdog performs 5 steps: Reads the packets from the wireless card Generates the neighborhood Detects the black-hole attack Free consumed resources Sleep for a random time for resource saving

The card is set to promiscuous mode to listen to all neighboring packets in range. For neighborhood list, the watchdog node must read each packet received. To detect an attack, the watchdog must decide if a packet must be forwarded or not. The alarm has several fields: Severity of message, timestamp, IP of the node that

sent the alert, PID of watchdog, alert with IP and MAC of attacker. For saving resources, the program searches for expired stored data and deletes it. Sleep mode. Saves CPU consumption. Independent of the routing protocol.

EVALUATION

EXPERIMENTAL SETUP: The considered ad-hoc network was deployed using CASTADIVA test-bed. Castadiva is an ad-hoc test bed emulator. Initial topology. (A,B,C,D nodes same topology as before). A and D are Ubuntu based laptops with VoIP application(Ekiga). B and C access points. We test watchdog in different scenarios using OLSR and AODV. M performs a black-hole attack on packets exchanged by A and D.

FALSE WATCHDOG DETECTION: False positive: Study the influence of noise in the tolerance threshold. False negatives: We show the interval when the watchdog can generate a false

negative when the tolerance threshold is set to 50%.

CONCLUSION

The watchdog technique is a diagnosis mechanism useful to detect routing disruption attacks in ad hoc networks

It is independent of the routing protocol and technology used. Analyzed the most relevant issues of this technique. Proposed an algorithm to control both these problems by introducing tolerance

threshold and devaluating mechanisms.