Intrusion Detection in Ad hoc Networks | ECE 453, Study notes of Computer Systems Networking and Telecommunications

Download Intrusion Detection in Ad hoc Networks | ECE 453 and more Study notes Computer Systems Networking and Telecommunications in PDF only on Docsity!

ECE453 – Introduction toComputer Networks Lecture 35 – Network Security(VIII)

Intrusion Detection in Ad hocNetworks

Ad hoc network is vulnerable to attacks. If an attacker tries hard enough, it canalways filtrate the system. Intrusion detection system does the followingIntrusion detection system does the following jobs: Monitor audit data Look for intrusions to the system Initiate a proper response

Possible Attacks (1)

Attack on routing discovery process: Changing the contents of a discovered route Modifying a route reply message, causingModifying a route reply message, causing

the packet to be dropped as an invalid packet

Invalidating the route cache in other nodes

by advertising incorrect paths

Refusing to participate in the route discovery

process

Possible Attacks (2)

Attack the routing mechanism Modifying the contents of a data packet or

the route via which the data packet is supposed to travel.supposed to travel.

Behaving normally during the route

discovery phase but dropping data packets

Generating false route error messages

whenever a packet is sent

Intrusion Detection System (IDS)

An IDS indentifies and responds to malicious

activity targeted at computing andnetworking resources.

An IDS is NOTAn IDS is NOT An anti-virus system A network logging system Vulnerability assessment tool

Elements in an IDS

Processing Element

Alarm Unit

Element

Unit

AuditData

Intrusion Response

Reinitializing communication channels Identifying compromised nodes and

reorganizing the whole network toreorganizing the whole network to preclude the ‘bad guy’

The IDS agent alarming the end user Initiate a ‘re-authentication’ process

Requirements

The IDS should not introduce a new

weakness.

An IDS should remain transparent. An IDS should use as little of the systemAn IDS should use as little of the system

resource as possible.

Must be fault tolerant Should provide a proper response Should assure accuracy of the detection

Watchdog-pathrater

A node could misbehave because it is

overloaded, selfish, malicious or broken.

To mitigate the decrease in throughput due

to the above reasons, we can use a watchdogto the above reasons, we can use a watchdog to identify misbehaving nodes and a pathrater to help routing protocols to avoid thesepaths.

How the Watchdog works?

Each node has a watchdog. When a node forwards a packet, the node’s watchdog verifies that the next node in the path also forwards the packet.forwards the packet.

How to verify? The watch dog can listen to the next node’s transmission.

Every time a node fails to forward a packet, the watchdog increments a failure tally. If exceeding athreshold, the watchdog claims that the node ismisbehaving and uses the pathrater to avoid thispath.

Mobile Agent IDS

Mobile agents are a special kind of agent that have

the ability to move through large networks.

In the moving, a mobile agent can interact with nodes, collect information and make decision.nodes, collect information and make decision.

Advantages: reduction in network load (less data traffic) low latency when a portion of the IDS gets destroyed or separated, the mobile agents can continue to work.

LIDS

Local intrusion detection system (LIDS) Elements of LIDS; A local LIDS: in charge of local intrusion detection and response; also responds to intrusion alters provided by otherresponse; also responds to intrusion alters provided by other nodes

Mobile agent: collect information and data with an ability to transfer the results to their home LIDS.

Local MIB (management information base) agent: provides a means of collecting MIB variable, either for mobile agent orlocal LIDS agent.