2. OUTLINE
Vulnerabilities of Mobile Wireless Networks
What is IDS?
Types of IDS
Problems of current IDS techniques
IDS design issues
Architecture for Intrusion Detection
Anomaly detection in Mobile Ad-Hoc Networks
Experimental Results
Conclusion
3. VULNERABILITIES OF MOBILE WIRELESS
NETWORKS
The wireless networks and mobile computing has
developed rapidly in the last decade
Traditional way of protecting networks is no longer
sufficient
Use of wireless links increases attacks ranging from
passive eavesdropping to active interfering.
Missing of physical access and unprepared for
possible encounters
Damage includes leaking secret information,
message contamination, node impersonation
4. VULNERABILITIES OF MOBILE WIRELESS
NETWORKS (CONTINUED)
Independent roaming could cause node to be
captured, hijacked
Tracking is difficult in a global scale network
Lack of centralized authority creates new types of
attacks to break the cooperative algorithms
Application and services can be a wink link
Attacks may target proxies or agents of base-
station to mount DoS attacks
5. SOLUTION?
Design a model for Intrusion Detection Techniques
(IDS)
Deploy IDS into wireless networks
Keep the wireless networks secured from intrusions
6. OUTLINE
Vulnerabilities of Mobile Wireless Networks
What is IDS?
Types of IDS
Problems of current IDS techniques
IDS design issues
Architecture for Intrusion Detection
Anomaly detection in Mobile Ad-Hoc Networks
Experimental Results
Conclusion
7. WHAT IS IDS
Intrusion: Any set of actions that attempt to
compromise the integrity, confidentiality, or
availability of a resource
Intrusion detection: A detection technique that
attempts to identify unauthorized, illicit, and
anomalous behavior based solely on network
traffic.
The role of a IDS is passive, only gathering,
identifying, logging and altering.
8. OUTLINE
Vulnerabilities of Mobile Wireless Networks
What is IDS?
Types of IDS
Problems of current IDS techniques
IDS design issues
Architecture for Intrusion Detection
Anomaly detection in Mobile Ad-Hoc Networks
Experimental Results
Conclusion
9. TYPES OF IDS
Based on the type of audit data
Network-based IDS
Runs at the gateway of a network
Inspects packets that go through the network hardware
interface
Host-based IDS
Runs on the operating system audit data
Monitors and analyzes events generated by programs
or users
10. TYPES OF IDS (CONTINUED)
Misuse detection system
Uses patterns of well known attacks or weak spots
Accurately detects instances of known attacks
Fails to detected newly invented attacks
Anomaly detection system
Observes activities that different from the established
usage way
Does not require prior knowledge and detects new
intrusion
Fails to describe the type of attack
May have high false positive rate
11. OUTLINE
Vulnerabilities of Mobile Wireless Networks
What is IDS?
Types of IDS
Problems of current IDS techniques
IDS design issues
Architecture for Intrusion Detection
Anomaly detection in Mobile Ad-Hoc Networks
Experimental Results
Conclusion
12. PROBLEMS OF CURRENT IDS TECHNIQUES
Current IDS relies on real-time traffic analysis
Mobile ad hoc environment does not have switches,
routers and gateway, where the IDS can be used to
audit data
Mobile users may adopt new operations modes, so
anomaly based IDS cannot be used in all cases
13. OUTLINE
Vulnerabilities of Mobile Wireless Networks
What is IDS?
Types of IDS
Problems of current IDS techniques
IDS design issues
Architecture for Intrusion Detection
Anomaly detection in Mobile Ad-Hoc Networks
Experimental Results
Conclusion
14. IDS DESIGN ISSUES
To build an intrusion detection system that fits the
feature of mobile ad-hoc networks
To chose the audit data sources appropriately
To design a model of activities that can separate
anomaly from normalcy during attacks
15. OUTLINE
Vulnerabilities of Mobile Wireless Networks
What is IDS?
Types of IDS
Problems of current IDS techniques
IDS design issues
Architecture for Intrusion Detection
Anomaly detection in Mobile Ad-Hoc Networks
Experimental Results
Conclusion
16. ARCHITECTURE FOR INTRUSION DETECTION
Intrusion detection and response system should be
both distributed and cooperative
Every node in the mobile ad-hoc network
participates in intrusion detection and response
Each node is responsible for detecting signs of
intrusion locally and independently
Individual IDS agents are placed on each and every
node
Each IDS agent monitors local activities
18. ARCHITECTURE FOR INTRUSION DETECTION
(CONTINUED)
Data collection module is
responsible for gathering local
audit traces
Local detection engine will use
this data to detect local
anomaly
Cooperative detection engines
collaborates IDS agents
19. ARCHITECTURE FOR INTRUSION DETECTION
(CONTINUED)
Local response module triggers
actions local to the node
Global response module
coordinates actions among
neighboring nodes
Secure communication module
provides a high-confidence
communication channel among
IDS agents
20. OUTLINE
Vulnerabilities of Mobile Wireless Networks
What is IDS?
Types of IDS
Problems of current IDS techniques
IDS design issues
Architecture for Intrusion Detection
Anomaly detection in Mobile Ad-Hoc Networks
Experimental Results
Conclusion
21. ANOMALY DETECTION IN MOBILE AD-HOC
NETWORKS
Differentiate normal behavior from abnormal
behavior
Uses information-theoretic technique to describe
the characteristics of information flow
Uses classification algorithms to build anomaly
detection models
22. ANOMALY DETECTION IN MOBILE AD-HOC
NETWORKS (CONTINUED)
Procedure for anomaly detection
Select audit data so that the normal dataset has low
entropy
Perform appropriate data transformation according to
the entropy measures (for information gain)
Compute classifier using training data
Apply the classifier to test data
Post-process alarms to produce intrusion reports
23. OUTLINE
Vulnerabilities of Mobile Wireless Networks
What is IDS?
Types of IDS
Problems of current IDS techniques
IDS design issues
Architecture for Intrusion Detection
Anomaly detection in Mobile Ad-Hoc Networks
Experimental Results
Conclusion
24. EXPERIMENTAL RESULTS
Used three specific ad-hoc wireless protocols
DSR
AODV
DSDV
The feature set reflects information from different
sources such as traffic pattern, routing change,
topological movement
Built models using two classification algorithms
RIPPER (induction based classifier)
SVM_Light
Five different test scripts were used to generate
traces
25. EXPERIMENTAL RESULTS (CONTINUED)
Experiment suggested that DSR and AODV are
better for anomaly detection.
Works better where degree of path and pattern
redundancy exists
High correlation among changes of three types of
information is proffered:
Traffic flow
Routing activities
Topological patterns
26. OUTLINE
Vulnerabilities of Mobile Wireless Networks
What is IDS?
Types of IDS
Problems of current IDS techniques
IDS design issues
Architecture for Intrusion Detection
Anomaly detection in Mobile Ad-Hoc Networks
Experimental Results
Conclusion
27. CONCLUSION
Architecture for better intrusion detection in mobile
computing environment should be distributed and
cooperative.
On demand protocols are work better than table
driven protocols because the behavior of on-
demand protocols reflects the correlation between
traffic pattern and routing message flows
28. QUESTIONS?
Location-Aided Routing protocol may be more
advantageous – why?
Why the alarm rate is much higher if the model is
classified using values from another mobility level?