MITREMITRE

7 April 20097 April 2009

CS 5214 Presenter: Phu-Gui FengCS 5214 Presenter: Phu-Gui Feng

Performance Analysis of DistributedPerformance Analysis of Distributed IDS Protocols for Mobile GCS IDS Protocols for Mobile GCS

Dr. Jin-Hee Cho, Dr. Ing-Ray ChenDr. Jin-Hee Cho, Dr. Ing-Ray Chen

MITREMITRE

2

AgendaAgenda

IntroductionIntroduction System DescriptionSystem Description

Secure GCSSecure GCS Distributed IDSDistributed IDS Resulting MetricsResulting Metrics

Performance Model (SPN)Performance Model (SPN) Key ParameterizationKey Parameterization SRN CalculationsSRN Calculations ConclusionsConclusions

3

MANET Design ChallengesMANET Design Challenges

Paper Objective: to Design Secure GCSPaper Objective: to Design Secure GCS– Mobile Ad Hoc Network (MANET) hosts form secure group communication systems (Secure Mobile Ad Hoc Network (MANET) hosts form secure group communication systems (Secure

GCS)GCS)– In GCS, mobile nodes join and leave a group dynamicallyIn GCS, mobile nodes join and leave a group dynamically

High security vulnerability:High security vulnerability:– Outsider attacks: 1Outsider attacks: 1stst line of defense with key pairs line of defense with key pairs– Insider attacks: IDS is 2Insider attacks: IDS is 2ndnd line of defense line of defense

Unique characteristics:Unique characteristics:– Open medium, Dynamic topologyOpen medium, Dynamic topology– De-centralized decision and cooperationDe-centralized decision and cooperation– Lack of centralized authorityLack of centralized authority– Lack of resources (power, BW, memory)Lack of resources (power, BW, memory)– No clear line of defense [7]No clear line of defense [7]

The Problem: System Failure Before Mission CompletionThe Problem: System Failure Before Mission Completion

Our Goal: To Improve High Survivability (MTTSF)Our Goal: To Improve High Survivability (MTTSF)

4

Related Work & ApplicationRelated Work & Application

Related Work:Related Work:– No reactive IDS against changing attacker behaviorsNo reactive IDS against changing attacker behaviors– No analysis on detection latency vs performance degradationNo analysis on detection latency vs performance degradation– No impact of IDS on performance degradationNo impact of IDS on performance degradation

Our Unique Contribution:Our Unique Contribution:– The need for Secure The need for Secure GCSGCS in in MANETMANET– Trade off between Trade off between securitysecurity and and performanceperformance– Insider Insider attacksattacks and IDS and IDS defectsdefects – Identify Identify optimaloptimal design of adaptive design of adaptive IDSIDS– Develop Develop SRNSRN to describe and analyze IDS & tradeoff to describe and analyze IDS & tradeoff– Evaluate Evaluate Maxed MTTSFMaxed MTTSF and and optimaloptimal IDS detection intervalIDS detection interval

5

System Description (1 of 3)System Description (1 of 3)

Secure GCS:Secure GCS:– Shared key to maintain group confidentialityShared key to maintain group confidentiality

– Group key agreement protocol [9]Group key agreement protocol [9]– Distributed key management protocol– CKA GDH[10]Distributed key management protocol– CKA GDH[10]

– Dynamic group rekeying to change group keyDynamic group rekeying to change group key– Forward secrecy: know previous key, not currentForward secrecy: know previous key, not current– Backward secrecy: know current key, not previousBackward secrecy: know current key, not previous

– Mission oriented to detect/evict compromised nodesMission oriented to detect/evict compromised nodes– E.g. Rescue teams in disaster recoveryE.g. Rescue teams in disaster recovery– E.g. Soldiers groups in battle fieldE.g. Soldiers groups in battle field

– Compromised nodes result in compromised systemCompromised nodes result in compromised system– Accepting leaked info (C1) resulted in loss of system integrityAccepting leaked info (C1) resulted in loss of system integrity– More than 1/3 member nodes are un-detected & compromised More than 1/3 member nodes are un-detected & compromised

(C2) resulted in loss of system availability(C2) resulted in loss of system availability– Collusion (Pfn, Pfp) result in detection defectsCollusion (Pfn, Pfp) result in detection defects

6

System Description (2 of 3)System Description (2 of 3)

Distributed IDS:Distributed IDS:– Host based IDS [15]Host based IDS [15]

– Local detection on compromised neighboring nodesLocal detection on compromised neighboring nodes– Pre-install host-based IDSPre-install host-based IDS

– misuse detection, anomaly detection [15]misuse detection, anomaly detection [15]– Voting based IDSVoting based IDS

– Independent frameworkIndependent framework– Cooperative detectionCooperative detection– Majority voting on sensor networks [2]Majority voting on sensor networks [2]– Approach:Approach:

– Host-based IDS collects infoHost-based IDS collects info– Periodically, a target node evaluated/being votedPeriodically, a target node evaluated/being voted– m voters are selectedm voters are selected

Host-based IDS P1=false negative probability P2=false positive probability

Voting based IDS Pfn=false negative probability Pfp=false positive probability

7

System Description (3 of 3)System Description (3 of 3)

Security and Performance Metrics:Security and Performance Metrics:– MTTSF:MTTSF:

– Average time before reaching failure absorption stateAverage time before reaching failure absorption state– Lower MTTSF means faster C1 or C2Lower MTTSF means faster C1 or C2– Goal: maximize MTTSFGoal: maximize MTTSF

– Communication Traffic Cost ( )Communication Traffic Cost ( )– Total traffic per sec:Total traffic per sec:

– Group communication,Group communication,– Status exchange, rekeying, Status exchange, rekeying, – Intrusion detection, beacon, Intrusion detection, beacon, – Group partition/mergeGroup partition/merge

– High cost means high contention, high delayHigh cost means high contention, high delay– Goal: to minimize total costGoal: to minimize total cost

8

Performance ModelPerformance Model

Place Tokens1 # of groups in system2 Tm # of trusted members in group3 UCm # of un-detected members in group4 DCm # of detected members in group5 GF # of failed members in group

Transition Events Model Rate Functions and Guards1 T_PAR group partition birth2 T_MER group merge death3 T_CP compromise good members attacker4 T_IDS detect evictable members detection5 T_FA false alarm detection falsely6 T_DRQ illegal data request C1 or C27 T_RK re-key 1/Tcm

9

Key ParameterizationKey Parameterization

m=19 = 10 j= - i, m - i = [10, 19] when i == 0

i=0 0 bad voters 10 good voters+bad votes 9 good votersi=1i=2 majority good voters minority good votersi=3 bad votesi=4i=5i=6i=7 bad votersi=8 bad votesi=9 9 10 good voters + bad votes 0

m=19 = 10

i=0 10 bad voters + bad votes 9 good votersi=1i=2 minority good votersi=3 majority voters are badi=4i=5i=6i=7i=8i=9 19 bad voters + bad votes 0 good voters

10

SRN CalculationsSRN Calculations

Expected cumulative reward: MTTSFExpected cumulative reward: MTTSF– Reward assignment:Reward assignment:

– Operational states, 1Operational states, 1– Failure state, 0Failure state, 0

11

Conclusions (1 of 3)Conclusions (1 of 3)

Optimal TIDS

Sensitivity: higher m lower Pfp, Pfn

MTTSF increases Cost is high

smaller m large Pfp, Pfn MTTSF decreases,

1. Before Topt, TIDS increases so thatfewer IDS less probable false alarms

less probable GF from C2 MTTSF increases2. After Topt, TIDS increases so that

fewer IDSmore T_CP more UCm

more probable GF from C1MTTSF decreases

12

Conclusions (2 of 3)Conclusions (2 of 3)

Optimal TIDS: tradeoff CGC, CIDS

higher m lower Pfp, Pfn CGC higher

higher m more voters CIDS higher

Sensitive TIDS:

higher m higher Cost saving

13

Conclusions (3 of 3)Conclusions (3 of 3)

Strength Type Attack Detection TIDS Costweak log shorter less CGC

medium linear x x optimal less Ctotalstrong poly longer less CIDS

Secure GCS:Secure GCS:– Identify Identify optimaloptimal design of design of

adaptiveadaptive IDS in response to IDS in response to changing attacker strengthchanging attacker strength