applying intrusion detection systems to wireless …roman/files/roman-ccnc06-transp.pdf · applying...
TRANSCRIPT
Applying Intrusion Detection Systems to Wireless Sensor NetworksApplying Intrusion Detection Systems to Wireless Sensor Networks
10 January 2006
ApplyingApplyingIntrusion Detection SystemsIntrusion Detection Systemsto Wireless Sensor Networksto Wireless Sensor NetworksRodrigo Roman, Jianying Zhou, Javier Lopez
Applying Intrusion Detection Systems to Wireless Sensor NetworksApplying Intrusion Detection Systems to Wireless Sensor Networks
SummarySummary
• Wireless Sensor Networks• Intrusion Detection Systems• IDS Architecture for Wireless Sensor Networks• Conclusions
Applying Intrusion Detection Systems to Wireless Sensor NetworksApplying Intrusion Detection Systems to Wireless Sensor Networks
Wireless Sensor NetworksWireless Sensor Networks
Applying Intrusion Detection Systems to Wireless Sensor NetworksApplying Intrusion Detection Systems to Wireless Sensor Networks
Wireless Sensor Networks (WSN)Wireless Sensor Networks (WSN)
What?• Nodes: Constrained, Sensors, Wireless.
• Dense Network (100 - more...)• ∑Nodes = WSN
Applications• Healthcare• Environment• AmI (Smart Homes)• Military• ...
Applying Intrusion Detection Systems to Wireless Sensor NetworksApplying Intrusion Detection Systems to Wireless Sensor Networks
Infrastructure Infrastructure –– Nodes Nodes
NodesNodesNodes Features:
• 8 Mhz, 128Kb I’s• Battery: 1 year (“stand-by”)• Radio (19.2 – 250 Kbps)
Roles:
• Harvesters• Routers• Distributed Platform
Base Station
Applying Intrusion Detection Systems to Wireless Sensor NetworksApplying Intrusion Detection Systems to Wireless Sensor Networks
Infrastructure Infrastructure –– Base StationBase Station
NodesB.S.: Less Constrained
Roles:• Manager• Interface (Data
Dissemination Network)
Base StationBase Station
Applying Intrusion Detection Systems to Wireless Sensor NetworksApplying Intrusion Detection Systems to Wireless Sensor Networks
Points of AttackPoints of Attack
Physical
Logical
• Node Integrity• Channel Integrity• Environment Integrity• Energy Integrity
• Information Integrity• Protocol Integrity• Configuration Integrity
Every Node!
Applying Intrusion Detection Systems to Wireless Sensor NetworksApplying Intrusion Detection Systems to Wireless Sensor Networks
Intrusion Detection SystemsIntrusion Detection Systems
Applying Intrusion Detection Systems to Wireless Sensor NetworksApplying Intrusion Detection Systems to Wireless Sensor Networks
Intrusion Detection SystemsIntrusion Detection Systems
• Intrusion?• Set of Actions Unauthorized Access/Alteration
• Detection: Intrusion Detection Systems (IDS)
- O.S. Logs
- Applications
- Network Packets- Anomaly Detection
- Signature Detection
Applying Intrusion Detection Systems to Wireless Sensor NetworksApplying Intrusion Detection Systems to Wireless Sensor Networks
IDS IDS –– Wireless NetworksWireless Networks
• Applying IDS to Wireless Networks… A real problem
• Wireless Communication, Multiple nodes…= Multiple points of attack
• (Usually) IDS Agents inside every node: Constrainedresources
• Specific problems in Wireless Sensor Networks• Nodes are even more constrained• Highly specialized protocols• User/Administrator away from the problems (BS)
Applying Intrusion Detection Systems to Wireless Sensor NetworksApplying Intrusion Detection Systems to Wireless Sensor Networks
IDS and WSN IDS and WSN –– State of the ArtState of the Art
• Partial Solutions• Analysing fluctuations in sensor readings
• Anomaly detection, HMM• Attesting the integrity of the code
• Check I’s memory… but time is what matters!• Others: Send (protected) attesting algorithm
• Watching over the information interchange (Watchdog)• Expensive for resource constrained nodes
• No general infrastructure• Rules, rules, rules…
Applying Intrusion Detection Systems to Wireless Sensor NetworksApplying Intrusion Detection Systems to Wireless Sensor Networks
IDS Architecture forIDS Architecture forWireless Sensor NetworksWireless Sensor Networks
Applying Intrusion Detection Systems to Wireless Sensor NetworksApplying Intrusion Detection Systems to Wireless Sensor Networks
Architecture: Architecture: ““TemplateTemplate””
• How it SHOULD be?• Separate detection tasks
• Local Agents: Internal Info, Active 100% of the time• Global Agents: External Info, Aim for 100% coverage• What they should analyse? From what sources?
• Share information between agents• Cryptography, voting mechanism (Ad Hoc), trust
• Notify users – Base Station• Secure Broadcast algorithms (µTesla)
• Optimised Alert database (small disk space)• Should have {timestamp, classification, source}
Applying Intrusion Detection Systems to Wireless Sensor NetworksApplying Intrusion Detection Systems to Wireless Sensor Networks
Local AgentsLocal Agents
- Node Status- Sent/Received Packets- Measurements- Neighbour Information
- Physical/Logical Integrity- Measurement Integrity- Protocol Integrity- Neighbourhood
AnalisysSource Data
Applying Intrusion Detection Systems to Wireless Sensor NetworksApplying Intrusion Detection Systems to Wireless Sensor Networks
Local AgentsLocal Agents
• Physical Integrity• Nodes are easily accessible: Destroy!• Communication channel (Radio) is easily accessible: Jamming!• Alert: HW failures, anomaly in communication channels
• Logical Integrity• Nodes can be reprogrammed• Alert: Programming event (Xnp)
• Measurements • Physical attacks (e.g. defective sensors, others [fire –temperature sensor, movement – accelerometer])• Alert: Anomaly detection systems
Applying Intrusion Detection Systems to Wireless Sensor NetworksApplying Intrusion Detection Systems to Wireless Sensor Networks
Local AgentsLocal Agents
• Protocol Integrity• Many protocols (Why? Specialized network)
= Many attacks (malformed packets, packet injection,…)• Develop lightweight detection techniques
• Neighbourhood• Static networks: Few variations in the network infrastructure• Alerts: New nodes, “disappearing” nodes
…• Too much energy usage?
• Analysis (protocols, measurements) – open issue
Applying Intrusion Detection Systems to Wireless Sensor NetworksApplying Intrusion Detection Systems to Wireless Sensor Networks
Global AgentsGlobal Agents
• Problem: Energy! Assure:- Balance tasks- Network coverageInformation (Broadcast)
- Protocol Analysis(“Watchdogs”)
Source
Data
Analysis
Applying Intrusion Detection Systems to Wireless Sensor NetworksApplying Intrusion Detection Systems to Wireless Sensor Networks
Global AgentsGlobal Agents
Hierarchical Networks• “Cluster Head” (CH) controls
its section of the network• Global Agent, part of C.H.
Flat Networks• No hierarchy, same nodes• Global Agent?
• Spontaneous Watchdog(SW)
Stronger...
Applying Intrusion Detection Systems to Wireless Sensor NetworksApplying Intrusion Detection Systems to Wireless Sensor Networks
Spontaneous WatchdogsSpontaneous Watchdogs
• Premise:• “For every packet circulating in the network, there are a set of nodes that are able to receive both that packet and the relayed packet by the next-hop”
• Only for dense networks
Node BNode A
Node C
Node D
• One of the nodes will activate its Global Agent:
• Network coverage (∀ packet covered by [at least] 1 node)• Energy savings (detections tasks are distributed over the nodes)
Applying Intrusion Detection Systems to Wireless Sensor NetworksApplying Intrusion Detection Systems to Wireless Sensor Networks
Spontaneous Watchdogs Spontaneous Watchdogs –– ProcessProcess
• Algorithm• Every node receives all packets sent inside its neighbourhood
(Waste of energy? No: Am I the destination of this packet?)• The destination of the packet is in my neighbourhood? Yes: I can be a Spontaneous Watchdog• How many nodes are in my situation? (n)
• Need the list of neighbours of all my neighbours• Process: Intersect neighbours of sender and receiver = n
Ej: A {B,C,D}, B {A,C,D} {C,D}• Probability of being Spontaneous Watchdog: 1/n
• There is no negotiation – process is totally independent
Applying Intrusion Detection Systems to Wireless Sensor NetworksApplying Intrusion Detection Systems to Wireless Sensor Networks
Spontaneous Watchdogs Spontaneous Watchdogs –– ProblemsProblems
• Situations with no active watchdog!• 0 SW : (33%) 0.29 – 0.36 • 1 SW : (40%) 0.44 – 0.36• 2 SW : (20%) 0.19 – 0.22
• Solution: Change (Increase) probabilities
• E.g. : Double probability• 0 SW : (7%) 0.04 – 0.12• Drawback: More than one SW for one packet
• Balance: Security / Energy 0
5
10
15
20
25
30
35
40
45
50
0 1 2 3 4 5 6 7 8 9 10
Number of spontaneous w atchdogs (Nodes)
Scen
ario
pro
babi
lity (%
)
25 neighbors
10 neighbors
5 neighbors
3 neighbors
0
5
10
15
20
25
30
35
40
45
50
1 2 3 4 5 6 7 8 9 10 11
Number of Nodes
% s
pont
aneo
us w
atch
dogs
25 neighbors
10 neighbors
5 neighbors
3 neighbors
Applying Intrusion Detection Systems to Wireless Sensor NetworksApplying Intrusion Detection Systems to Wireless Sensor Networks
ConclusionsConclusions
Applying Intrusion Detection Systems to Wireless Sensor NetworksApplying Intrusion Detection Systems to Wireless Sensor Networks
ConclusionsConclusions
• This is the path we have to walk… let’s walk it!• Apply existent algorithms to a complete IDS system• Analize protocols, deduce detection systems• Simulations
• Other details• Network lifetime: Structure evolution (Ej: neighbour list)• IDS for mobile environments (mobile nodes)
Applying Intrusion Detection Systems to Wireless Sensor NetworksApplying Intrusion Detection Systems to Wireless Sensor Networks
10 January 2006
ApplyingApplyingIntrusion Detection SystemsIntrusion Detection Systemsto Wireless Sensor Networksto Wireless Sensor NetworksRodrigo Roman, Jianying Zhou, Javier Lopez