Intrusion Detection in Wireless Sensor Networks

Download Report

Transcript Intrusion Detection in Wireless Sensor Networks

Intrusion Detection in
Wireless Sensor Networks
Group Meeting
Spring 2005
Presented by Edith Ngai
Outline
•
•
•
•
Wireless sensor networks (WSN)
Security in WSN
Background on intrusion detection
Intrusion detection in WSN
• Types of attacks
• Intrusion detection components
• Required technologies
• Future directions
• Conclusion
Technology trend
• Small integrated devices
• Smaller, cheaper, more powerful
• PDAs, mobile phones
• Many opportunities, and research areas
• Power management
• Distributed algorithms
Wireless sensor networks
• Wireless sensor node
•
•
•
•
power supply
sensors
embedded processor
wireless link
• Many, cheap sensors
• wireless  easy to install
• intelligent  collaboration
• low-power  long lifetime
Possible applications
• Military
• battlefield surveillance, biological attack detection,
targeting
• Ecological
• fire detection, flood detection, agricultural uses
• Health related
• human physiological data monitoring
• Miscellaneous
• car theft detection, inventory control, home
applications
Required technologies
• Efficient data routing
• ad-hoc network
• one or more ‘datasinks’
• In-network data processing
• large amounts of raw data
• limited power and bandwidth
• Node localization
Security in WSN
• Main security threats in WSN are:
• Radio links are insecure – eavesdropping /
injecting faulty information is possible
• Sensor nodes are not temper resistant – if it is
compromised the attacker obtains all security
information
• Protecting confidentiality, integrity, and
availability of the communications and
computations
Why security is different?
•Sensor Node Constraint
•Battery
•CPU power
•Memory
•Networking Constraints and Features
•Wireless
•Ad hoc
•Unattended
Network defense
Protect
- Encryption
- Firewalls
- Authentication
- Biometrics
Detect
- Intrusions
- Attacks
- Misuse of Resources
- Data Correlation
- Data Visualization
- Malicious Behaviors
- Network Status/
Topology
React
- Response
- Terminate Connections
- Block IP Addresses
- Containment
- Recovery
- Reconstitute
What is intrusion detection?
• Intrusion detection is the process of
discovering, analyzing, and reporting
unauthorized or damaging network or
computer activities
• Intrusion detection discovers violations of
confidentiality, integrity, and availability of
information and resources
What is intrusion detection?
• Intrusion detection demands:
• As much information as the computing
resources can possibly collect and store
• Experienced personnel who can interpret
network traffic and computer processes
• Constant improvement of technologies and
processes to match pace of Internet
innovation
How useful is intrusion
detection?
• Provide digital forensic data to support postcompromise law enforcement actions
• Identify host and network misconfigurations
• Improve management and customer
understanding of the Internet's inherent
hostility
• Learn how hosts and networks operate at the
operating system and protocol levels
Intrusion detection models
• All computer activity and network traffic
falls in one of three categories:
• Normal
• Abnormal but not malicious
• Malicious
• Properly classifying these events are the
single most difficult problem -- even more
difficult than evidence collection
Intrusion detection models
• Two primary intrusion detection models
• Network-based intrusion detection monitors
network traffic for signs of misuse
• Host-based intrusion detection monitors
computer processes for signs of misuse
• So-called "hybrid" systems may do both
• A hybrid IDS on a host may examine network
traffic to or from the host, as well as
processes on that host
IDS paradigms
•
•
•
•
•
Anomaly Detection - the AI approach
Misuse Detection - simple and easy
Burglar Alarms - policy based detection
Honey Pots - lure the hackers in
Hybrids - a bit of this and that
Anomaly detection
• Goals:
• Analyze the network or system and infer what
is normal
• Apply statistical or heuristic measures to
subsequent events and determine if they
match the model/statistic of “normal”
• If events are outside of a probability window
of “normal” then generate an alert
Misuse detection
• Goals:
• Know what constitutes an attack
• Detect it
• A database of known attack signatures should
be maintained
Intrusion Detection
in WSN
Network model
•BSj: base station at
location (Xj, Yj)
•Si: sensor node at
location (xi, yi)
•R: transmission range
of the base station
•r: transmission range
of the sensor node
•k-coverage: a node
covers by k BSs
Definitions
• Coverage of a base station
Ci  { p : p  BS i  R}
• Number of coverage from base stations
S k  { p  BSi i  BSi 2 ...  BSi k | 1  i j  N }
• p sends data to q successfully (in 1-hop)
s
p

q  p  q  r  p, q  G
• p sends data to q successfully via k hops


s
s
s
s
p


p1   ik12 pi 

pi 1  pk 1 

q
k q  p1 ,..., p k 1  G | p 
(i, j  {1,..., k} | i  j : pi  p j  pi  p  pi  q)
• p fails in sending data from p to q
f
p

q  failure _ on _ transmission _ from _ p _ to _ q
Types of intrusions
• Sinkhole SH(q), HelloFlood HF(q)
• A region of nodes will forward packets
destined for a BS through an adversary
s
s
p 


BS i | pl BS i p r   m  p  m
k q
• Wormhole WH(q)
• An adversary tunnels messages received in
one part of the network over a low latency link
and replays them in a different part
s
s
s
p 


q2 

BS i | pl BS i p r   m  p  m
k q1 
Types of intrusions
• Missing Data MD(p)
• Missing data from p to BSi
f
p 

BS i | p  C i
• Wrong Data WD(p)
• Inconsistent data
w
s
d( p 

BS i )  d ( N ( p) 

BS i )  d m
• Interference
• Sensor p cannot send packet to its
neighboring nodes
i : p  Ci |   d ( p 
 BS i )
Architecture
Intrusion Reaction
Intrusion Location
Route Tracing
Intrusion Type Identification
Yes
Neighboring
Monitoring
Yes
Yes
Suspicious
Behavior?
Inconsistent
Data?
Missing
Data?
Ye
s
Suspicious
Routes?
Data Fusion
(local,global)
Data Collection
History
Routing
Topology
Intrusion detection
components
• Neighbor monitoring
•
•
•
•
• Watchdog
Data fusion
• Local – neighboring nodes
• Global – overlapping areas
Topology discovery
Route tracing
History
Intrusion classification
Components\Attack Types
I
II
III
IV
V
Neighbor
Monitoring
BS
Dominating
intermediate node
Dominating
intermediate node
Selective
forwarding
---
---
Sensor
---
---
Selective
forwarding
---
Interference
(jamming with
neighbors)
Global
(may have missing
or inconsistent
data)
(may have missing
or inconsistent
data)
Missing data
Inconsistent data
(IVa – malicious
sensor or
intermediate
nodes)
Missing data
Local
(may have missing
or inconsistent
data)
(may have missing
or inconsistent
data)
Missing data
Inconsistent data
(IVb – sensor
failure or being
compromised)
Missing data
BS
a region of nodes
forward packet
through the same
adversary
An adversary
tunnels messages
and replays them
in a different part
---
---
---
Data
Comparison
Routing (with
topology info.)
Attack Types: I - Sinkhole, Hello Flood
IV – Wrong Data
II – Wormhole
V - Interference
III – Missing Data
Required technologies
• Collection of the audit data
• Localization
• Data fusion
• Routing
• Analysis on the audited data
• Identify the intrusion characteristics
• Detect the intrusions
• Locate the intrusions
• Intrusion reaction
Future direction
• Study how to collect the audit data effectively
• Complete the intrusion detection architecture
• Investigate the methods to analyze the audit
data for intrusion detection
• Explore how to locate and react to the intrusions
• Formulate and evaluate our intrusion detection
solution
Conclusion
• We discussed the characteristics of WSN and its
•
•
•
•
security issues
We studied traditional intrusion detection
technologies
We introduced the problem of intrusion detection in
WSN
We proposed an intrusion detection architecture
and analyzed various kinds of intrusions in WSN
We showed our future direction