MITRE MITRE 7 April 2009 7 April 2009 CS 5214 Presenter: Phu-Gui Feng CS 5214 Presenter: Phu-Gui Feng Performance Analysis of Performance Analysis of Distributed Distributed IDS Protocols for Mobile GCS IDS Protocols for Mobile GCS Dr. Jin-Hee Cho, Dr. Ing-Ray Chen Dr. Jin-Hee Cho, Dr. Ing-Ray Chen MITRE MITRE
Performance Analysis of Distributed IDS Protocols for Mobile GCS Dr. Jin-Hee Cho, Dr. Ing-Ray Chen. 7 April 2009 CS 5214 Presenter: Phu-Gui Feng. MITRE. MITRE. Agenda. Introduction System Description Secure GCS Distributed IDS Resulting Metrics Performance Model (SPN) - PowerPoint PPT Presentation
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Performance Model (SPN)Performance Model (SPN) Key ParameterizationKey Parameterization SRN CalculationsSRN Calculations ConclusionsConclusions
3
MANET Design ChallengesMANET Design Challenges
Paper Objective: to Design Secure GCSPaper Objective: to Design Secure GCS– Mobile Ad Hoc Network (MANET) hosts form secure group communication systems (Secure Mobile Ad Hoc Network (MANET) hosts form secure group communication systems (Secure
GCS)GCS)– In GCS, mobile nodes join and leave a group dynamicallyIn GCS, mobile nodes join and leave a group dynamically
High security vulnerability:High security vulnerability:– Outsider attacks: 1Outsider attacks: 1stst line of defense with key pairs line of defense with key pairs– Insider attacks: IDS is 2Insider attacks: IDS is 2ndnd line of defense line of defense
Unique characteristics:Unique characteristics:– Open medium, Dynamic topologyOpen medium, Dynamic topology– De-centralized decision and cooperationDe-centralized decision and cooperation– Lack of centralized authorityLack of centralized authority– Lack of resources (power, BW, memory)Lack of resources (power, BW, memory)– No clear line of defense [7]No clear line of defense [7]
The Problem: System Failure Before Mission CompletionThe Problem: System Failure Before Mission Completion
Our Goal: To Improve High Survivability (MTTSF)Our Goal: To Improve High Survivability (MTTSF)
4
Related Work & ApplicationRelated Work & Application
Related Work:Related Work:– No reactive IDS against changing attacker behaviorsNo reactive IDS against changing attacker behaviors– No analysis on detection latency vs performance degradationNo analysis on detection latency vs performance degradation– No impact of IDS on performance degradationNo impact of IDS on performance degradation
Our Unique Contribution:Our Unique Contribution:– The need for Secure The need for Secure GCSGCS in in MANETMANET– Trade off between Trade off between securitysecurity and and performanceperformance– Insider Insider attacksattacks and IDS and IDS defectsdefects – Identify Identify optimaloptimal design of adaptive design of adaptive IDSIDS– Develop Develop SRNSRN to describe and analyze IDS & tradeoff to describe and analyze IDS & tradeoff– Evaluate Evaluate Maxed MTTSFMaxed MTTSF and and optimaloptimal IDS detection intervalIDS detection interval
5
System Description (1 of 3)System Description (1 of 3)
Secure GCS:Secure GCS:– Shared key to maintain group confidentialityShared key to maintain group confidentiality
– Dynamic group rekeying to change group keyDynamic group rekeying to change group key– Forward secrecy: know previous key, not currentForward secrecy: know previous key, not current– Backward secrecy: know current key, not previousBackward secrecy: know current key, not previous
– Mission oriented to detect/evict compromised nodesMission oriented to detect/evict compromised nodes– E.g. Rescue teams in disaster recoveryE.g. Rescue teams in disaster recovery– E.g. Soldiers groups in battle fieldE.g. Soldiers groups in battle field
– Compromised nodes result in compromised systemCompromised nodes result in compromised system– Accepting leaked info (C1) resulted in loss of system integrityAccepting leaked info (C1) resulted in loss of system integrity– More than 1/3 member nodes are un-detected & compromised More than 1/3 member nodes are un-detected & compromised
(C2) resulted in loss of system availability(C2) resulted in loss of system availability– Collusion (Pfn, Pfp) result in detection defectsCollusion (Pfn, Pfp) result in detection defects
6
System Description (2 of 3)System Description (2 of 3)
Distributed IDS:Distributed IDS:– Host based IDS [15]Host based IDS [15]
– Local detection on compromised neighboring nodesLocal detection on compromised neighboring nodes– Pre-install host-based IDSPre-install host-based IDS
– misuse detection, anomaly detection [15]misuse detection, anomaly detection [15]– Voting based IDSVoting based IDS
– Independent frameworkIndependent framework– Cooperative detectionCooperative detection– Majority voting on sensor networks [2]Majority voting on sensor networks [2]– Approach:Approach:
– Host-based IDS collects infoHost-based IDS collects info– Periodically, a target node evaluated/being votedPeriodically, a target node evaluated/being voted– m voters are selectedm voters are selected
Host-based IDS P1=false negative probability P2=false positive probability
Voting based IDS Pfn=false negative probability Pfp=false positive probability
7
System Description (3 of 3)System Description (3 of 3)
Security and Performance Metrics:Security and Performance Metrics:– MTTSF:MTTSF:
– Average time before reaching failure absorption stateAverage time before reaching failure absorption state– Lower MTTSF means faster C1 or C2Lower MTTSF means faster C1 or C2– Goal: maximize MTTSFGoal: maximize MTTSF
– Communication Traffic Cost ( )Communication Traffic Cost ( )– Total traffic per sec:Total traffic per sec:
– Group communication,Group communication,– Status exchange, rekeying, Status exchange, rekeying, – Intrusion detection, beacon, Intrusion detection, beacon, – Group partition/mergeGroup partition/merge
– High cost means high contention, high delayHigh cost means high contention, high delay– Goal: to minimize total costGoal: to minimize total cost
8
Performance ModelPerformance Model
Place Tokens1 # of groups in system2 Tm # of trusted members in group3 UCm # of un-detected members in group4 DCm # of detected members in group5 GF # of failed members in group
Transition Events Model Rate Functions and Guards1 T_PAR group partition birth2 T_MER group merge death3 T_CP compromise good members attacker4 T_IDS detect evictable members detection5 T_FA false alarm detection falsely6 T_DRQ illegal data request C1 or C27 T_RK re-key 1/Tcm
9
Key ParameterizationKey Parameterization
m=19 = 10 j= - i, m - i = [10, 19] when i == 0
i=0 0 bad voters 10 good voters+bad votes 9 good votersi=1i=2 majority good voters minority good votersi=3 bad votesi=4i=5i=6i=7 bad votersi=8 bad votesi=9 9 10 good voters + bad votes 0
m=19 = 10
i=0 10 bad voters + bad votes 9 good votersi=1i=2 minority good votersi=3 majority voters are badi=4i=5i=6i=7i=8i=9 19 bad voters + bad votes 0 good voters