Applying Intrusion Detection Systems to Wireless Sensor Networks Applying Intrusion Detection Systems to Wireless Sensor Networks 10 January 2006 Applying Applying Intrusion Detection Systems Intrusion Detection Systems to Wireless Sensor Networks to Wireless Sensor Networks Rodrigo Roman, Jianying Zhou, Javier Lopez
24
Embed
Applying Intrusion Detection Systems to Wireless …roman/files/roman-ccnc06-transp.pdf · Applying Intrusion Detection Systems to Wireless Sensor NetworksApplying Intrusion Detection
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Applying Intrusion Detection Systems to Wireless Sensor NetworksApplying Intrusion Detection Systems to Wireless Sensor Networks
Applications• Healthcare• Environment• AmI (Smart Homes)• Military• ...
Applying Intrusion Detection Systems to Wireless Sensor NetworksApplying Intrusion Detection Systems to Wireless Sensor Networks
Infrastructure Infrastructure –– Nodes Nodes
NodesNodesNodes Features:
• 8 Mhz, 128Kb I’s• Battery: 1 year (“stand-by”)• Radio (19.2 – 250 Kbps)
Roles:
• Harvesters• Routers• Distributed Platform
Base Station
Applying Intrusion Detection Systems to Wireless Sensor NetworksApplying Intrusion Detection Systems to Wireless Sensor Networks
Infrastructure Infrastructure –– Base StationBase Station
NodesB.S.: Less Constrained
Roles:• Manager• Interface (Data
Dissemination Network)
Base StationBase Station
Applying Intrusion Detection Systems to Wireless Sensor NetworksApplying Intrusion Detection Systems to Wireless Sensor Networks
Points of AttackPoints of Attack
Physical
Logical
• Node Integrity• Channel Integrity• Environment Integrity• Energy Integrity
• Information Integrity• Protocol Integrity• Configuration Integrity
Every Node!
Applying Intrusion Detection Systems to Wireless Sensor NetworksApplying Intrusion Detection Systems to Wireless Sensor Networks
Intrusion Detection SystemsIntrusion Detection Systems
Applying Intrusion Detection Systems to Wireless Sensor NetworksApplying Intrusion Detection Systems to Wireless Sensor Networks
Intrusion Detection SystemsIntrusion Detection Systems
• Intrusion?• Set of Actions Unauthorized Access/Alteration
• Detection: Intrusion Detection Systems (IDS)
- O.S. Logs
- Applications
- Network Packets- Anomaly Detection
- Signature Detection
Applying Intrusion Detection Systems to Wireless Sensor NetworksApplying Intrusion Detection Systems to Wireless Sensor Networks
IDS IDS –– Wireless NetworksWireless Networks
• Applying IDS to Wireless Networks… A real problem
• Wireless Communication, Multiple nodes…= Multiple points of attack
• (Usually) IDS Agents inside every node: Constrainedresources
• Specific problems in Wireless Sensor Networks• Nodes are even more constrained• Highly specialized protocols• User/Administrator away from the problems (BS)
Applying Intrusion Detection Systems to Wireless Sensor NetworksApplying Intrusion Detection Systems to Wireless Sensor Networks
IDS and WSN IDS and WSN –– State of the ArtState of the Art
• Partial Solutions• Analysing fluctuations in sensor readings
• Anomaly detection, HMM• Attesting the integrity of the code
• Check I’s memory… but time is what matters!• Others: Send (protected) attesting algorithm
• Watching over the information interchange (Watchdog)• Expensive for resource constrained nodes
• No general infrastructure• Rules, rules, rules…
Applying Intrusion Detection Systems to Wireless Sensor NetworksApplying Intrusion Detection Systems to Wireless Sensor Networks
Applying Intrusion Detection Systems to Wireless Sensor NetworksApplying Intrusion Detection Systems to Wireless Sensor Networks
Architecture: Architecture: ““TemplateTemplate””
• How it SHOULD be?• Separate detection tasks
• Local Agents: Internal Info, Active 100% of the time• Global Agents: External Info, Aim for 100% coverage• What they should analyse? From what sources?
• Share information between agents• Cryptography, voting mechanism (Ad Hoc), trust
• Notify users – Base Station• Secure Broadcast algorithms (µTesla)
• Optimised Alert database (small disk space)• Should have {timestamp, classification, source}
Applying Intrusion Detection Systems to Wireless Sensor NetworksApplying Intrusion Detection Systems to Wireless Sensor Networks
Local AgentsLocal Agents
- Node Status- Sent/Received Packets- Measurements- Neighbour Information
Applying Intrusion Detection Systems to Wireless Sensor NetworksApplying Intrusion Detection Systems to Wireless Sensor Networks
Local AgentsLocal Agents
• Physical Integrity• Nodes are easily accessible: Destroy!• Communication channel (Radio) is easily accessible: Jamming!• Alert: HW failures, anomaly in communication channels
• Logical Integrity• Nodes can be reprogrammed• Alert: Programming event (Xnp)
• Measurements • Physical attacks (e.g. defective sensors, others [fire –temperature sensor, movement – accelerometer])• Alert: Anomaly detection systems
Applying Intrusion Detection Systems to Wireless Sensor NetworksApplying Intrusion Detection Systems to Wireless Sensor Networks
Local AgentsLocal Agents
• Protocol Integrity• Many protocols (Why? Specialized network)
its section of the network• Global Agent, part of C.H.
Flat Networks• No hierarchy, same nodes• Global Agent?
• Spontaneous Watchdog(SW)
Stronger...
Applying Intrusion Detection Systems to Wireless Sensor NetworksApplying Intrusion Detection Systems to Wireless Sensor Networks
Spontaneous WatchdogsSpontaneous Watchdogs
• Premise:• “For every packet circulating in the network, there are a set of nodes that are able to receive both that packet and the relayed packet by the next-hop”
• Only for dense networks
Node BNode A
Node C
Node D
• One of the nodes will activate its Global Agent:
• Network coverage (∀ packet covered by [at least] 1 node)• Energy savings (detections tasks are distributed over the nodes)
Applying Intrusion Detection Systems to Wireless Sensor NetworksApplying Intrusion Detection Systems to Wireless Sensor Networks
• Algorithm• Every node receives all packets sent inside its neighbourhood
(Waste of energy? No: Am I the destination of this packet?)• The destination of the packet is in my neighbourhood? Yes: I can be a Spontaneous Watchdog• How many nodes are in my situation? (n)
• Need the list of neighbours of all my neighbours• Process: Intersect neighbours of sender and receiver = n
Ej: A {B,C,D}, B {A,C,D} {C,D}• Probability of being Spontaneous Watchdog: 1/n
• There is no negotiation – process is totally independent
Applying Intrusion Detection Systems to Wireless Sensor NetworksApplying Intrusion Detection Systems to Wireless Sensor Networks
• Situations with no active watchdog!• 0 SW : (33%) 0.29 – 0.36 • 1 SW : (40%) 0.44 – 0.36• 2 SW : (20%) 0.19 – 0.22
• Solution: Change (Increase) probabilities
• E.g. : Double probability• 0 SW : (7%) 0.04 – 0.12• Drawback: More than one SW for one packet
• Balance: Security / Energy 0
5
10
15
20
25
30
35
40
45
50
0 1 2 3 4 5 6 7 8 9 10
Number of spontaneous w atchdogs (Nodes)
Scen
ario
pro
babi
lity (%
)
25 neighbors
10 neighbors
5 neighbors
3 neighbors
0
5
10
15
20
25
30
35
40
45
50
1 2 3 4 5 6 7 8 9 10 11
Number of Nodes
% s
pont
aneo
us w
atch
dogs
25 neighbors
10 neighbors
5 neighbors
3 neighbors
Applying Intrusion Detection Systems to Wireless Sensor NetworksApplying Intrusion Detection Systems to Wireless Sensor Networks
ConclusionsConclusions
Applying Intrusion Detection Systems to Wireless Sensor NetworksApplying Intrusion Detection Systems to Wireless Sensor Networks
ConclusionsConclusions
• This is the path we have to walk… let’s walk it!• Apply existent algorithms to a complete IDS system• Analize protocols, deduce detection systems• Simulations
• Other details• Network lifetime: Structure evolution (Ej: neighbour list)• IDS for mobile environments (mobile nodes)
Applying Intrusion Detection Systems to Wireless Sensor NetworksApplying Intrusion Detection Systems to Wireless Sensor Networks