Intrusion Detection in Wireless Ad Hoc Networks

Table of Contents

1 Introduction

2 Overview of Security attacks
2.1 Classification of attacks
2.2 Physical layer attacks
2.2.1 Eavesdropping
2.2.2 Interference and jamming
2.3 Link layer attacks
2.3.1 Disruption on MAC DCF and backoff mechanism
2.3.2 Weakness of 802.11 WEP
2.4 Network layer attacks
2.5 Transport layer attacks
2.5.1 Syn flooding attack
2.5.2 Session hijacking
2.6 Application layer attacks
2.6.1 Malicious code attacks
2.6.2 Repudiation attacks
2.7 Multi-layer attacks
2.8 Cryptographic primitive attacks

3 Cooperative Intrusion Detection System
3.1 Intrusion Detection System Agent
3.1.1 Local data collection
3.1.2 Local detection engine
3.1.3 Cooperative detection engine
3.1.4 Local and global response
3.2 Anomaly detection

4 Modular Intrusion Detection System
4.1 Modular Intrusion Detection System architecture
4.2 Node selection algorithm
4.3 Network packet monitoring
4.4 Decision making
4.5 Local detection

5 Cluster Based Intrusion Detection System
5.1 Possible state of nodes
5.2 Clique computation
5.3 Clusterhead Computation Protocol
5.4 Cluster Valid Assertion Protocol
5.5 Cluster Recovery Protocol

6 Zone Based Intrusion Detection System
6.1 Alert Aggregation
6.2 Zone Based Architecture
6.3 IDS Agent
6.4 Collaboration Mechanism
6.5 Alert Aggregation Mechanism

7 Using Game Theory in Intrusion Detection
7.1 Game Theoretical Formulation of Intrusion Detection
7.2 Bayesian Game Approach for Intrusion Detection
7.2.1 Static game
7.2.2 Dynamic game

8 Summary

9 Conclusions

Bibliography

List of Figures

List of Tables

List of Abbreviations

1 Introduction

Wireless ad-hoc networks are networks without any infrastructure and have a dynamic topology. Nodes have only limited physical security and are limited in resources. In principle every node in this network has equal rights, every node can independently join or leave the network. Due to the lack of any infrastructure the nodes have to organize the network themselves. Nodes can communicate directly within their transmission range if the target node is out of reach, other nodes have to act as routers. That means every node in a wireless ad-hoc network functions also as a router and the success of communication depends on other nodes´ cooperation [13]. These networks are used where an infrastructure is not available, e.g. on battlefields, business associates sharing information in meetings, attendees using laptops to participate in interactive conferences, emergency disaster relief and personal area [13].

A wireless ad-hoc network is very vulnerable to attacks because an adversary has not to pass different barriers like firewalls or gateways, like it is in infrastructure based environments [16]. Intrusion detection systems (IDS) can help finding out if a network is under attack and initiate counteractive measures. An IDS can be described as the second wall of defence whereas intrusion prevention is meant as the first wall of defence [15]. In a infrastructure based network, traffic monitoring is normally done at traffic concentration points like switches, routers and gateways. Due to the lack of infrastructure this approach is not suitable for wireless networks. Therefore most approaches focus on using a detection engine on each node of the wireless network.

A distinction of IDS, based of the audit data used, can be made between network-based and host-based IDS [15]. A network based IDS runs at the gateway of a network and there it captures and examines all passing network packets. The host-based IDS, which is installed on every node, relies on operating system audit data. It monitors and analyzes all events generated by programs and users of the host.

Techniques of intrusion detection can be split into misuse and anomaly detection systems. Misuse detection systems use patterns of well-known attacks to match and identify intrusions [15]. For example the number of login attempts within one minute could be such a pattern. The accurate and efficient detection of attacks is the advantage of this type, on the other hand misuse detection lacks of the ability to detect new invented attacks [15]. The problem is that a database where the patterns are saved has to be updated frequently and this maintenance is a lot of work and is mostly behind new invented attacks. Anomaly detection systems observe activities that deviate significantly from established normal usage profiles as anomalies e.g. the average frequencies of system commands [15]. [9] makes also a further distinction to specification-based detection systems, there a set of constraints describe the correct operation of a program or protocol. The execution is monitored with respect to the defined constraints. There are a lot of different architectures e.g. [16], [5], [4], [12] available. In this paper these four different types are presented and discussed.

The rest of the paper is organized as follows. Section 2 gives an overview of security attacks on different layers of the Internet protocol. In sections 3 to 6 above mentioned different architectures of IDS are presented. In section 7 it is explained how game theory can help to increase performance in ID. Section 8 compares all introduced architectures and points out most important differences. Last section 9 closes this work with a conclusion.

2 Overview of Security attacks

This section describes most relevant security attacks, classifies them and gives a good overview of attacks on different layers. Afterwards attacks on each layer of the Internet model are explained. Most information is taken from [13].

2.1 Classification of attacks

First a difference is made between active and passive attacks. In a passive attack, the adversary obtains data which is exchanged in the network without disrupting the operation of communications nor destroying or modifying any data. Whereas an active attack is classified through an interruption, modification or fabrication of communication data. Examples of passive attacks are eavesdropping, traffic analysis and traffic monitoring [13]. Active attacks are jamming, impersonating, modification, denial of service (DoS) and message replay [13]. The whole difference of them is that a concerned person or node does not take any notice of a passive attack whereas an active attack can and in some cases should be noticed by the target.

Second, external and internal attacks are differentiated. An external attack occurs when a node outside of the networks´ domain attacks a node inside the network. In contrast an internal attack describes an attack where a node, which is part of the network, places an attack. An internal attack is more dangerous than an external one due to the knowledge of valuable and secret information and privileged access rights. As example, the internal attacker may know important IP addresses and the security policy of the target area.

The next classification is done between stealthy and non-stealthy attacks. If an attacker tries to hide his action from an individual or an intrusion detection system, then we speak about a stealthy attack. On the other hand a non-stealthy attack is an attack which cannot be made stealthy like DoS. It is also clear that the aim of some attacks is to be non-stealthy, otherwise they would be useless.

Furthermore a difference between cryptography and non-cryptography related attacks is done. Cryptographic attacks [13] are classified into

- Pseudorandom number attacks
- timestamp, initialization vector
- Digital signature attacks
- RSA signature, ElGamal signature, digital signature standard
- Hash collision attacks
- SHA-0, MD4, MD5, HAVAL-128, RIPEMD

At least attacks on different layers of the internet model are distinguished. Table 1 shows different attacks which are possible on each layer, whereas some attacks can be used on multiple layers [13].

illustration not visible in this excerpt

Table 1: Attacks on different layers of the Internet Model

The next section will explain each attack on the concerning layer. Fist attacks on the physical layer are explained.

2.2 Physical layer attacks

As wireless communication is broadcast by nature common radio signals are very easy to jam or intercept. An adversary can easily overhear or disrupt a service of a wireless network physically [13]. Next sections present eavesdropping and jamming as attacks on the physical layer.

2.2.1 Eavesdropping

The aim of an eavesdropping attack is to read and intercept messages by unintended receivers. Therefore signals or messages can be overheard also fake messages can be injected [13]. Those attacks fall in the category of passive attacks due to the fact the sender and receiver of a message take no notice if messages are overheard. Fake messages are due to fabrication of new messages assigned to the category of active attacks. Hence an eavesdropping attack can be both, active or passive, depending on the fulfilment.

2.2.2 Interference and jamming

Through interference and jamming, radio signals can be disrupted. In the case of a powerful transmitter, signals can be overwhelmed and therefore get disrupted by an attacker [13]. The consequences are corruption or lost of messages. Interference and jamming are assigned to the part of active attacks. The next section is dedicated to the link layer.

2.3 Link layer attacks

Wireless ad-hoc networks are open multipoint peer-to-peer networks. Connectivity among neighbours is maintained by the link layer protocol while the network layer protocol extends the connectivity to all other nodes in the network. Therefore attackers may target the link layer protocol by disrupting the cooperation of the two layers protocols [13]. As examples a backoff mechanism and the weakness of 802.11 WEP^[1] are introduced in the next sections.

2.3.1 Disruption on MAC DCF and backoff mechanism

MAC protocols currently assume cooperative behaviour of all nodes. If malicious nodes do not follow the protocol specifications they can interrupt connection-based or reservation-based MAC protocols [13]. Thus it is possible that an attacker exploits its binary exponential backoff scheme to deny access to the wireless channel from its neighbours [14].^{[2] [3]}

2.3.2 Weakness of 802.11 WEP

WEP introduced by IEEE 802.11 provides WLAN system a modest level of privacy by encrypting radio signals [13]. Although it is common that WEP is broken and replaced by AES^[4] it is still in use. The problem of WEP is that the initialization vector (IV) consists only of 3 bytes. Therefore the probability that the same IV is chosen a second time is very high and is reached after approximately 5.000 network packets sent. This is equivalent to 7 megabytes of data. Hence the password is not changed the attacker has two ciphered packets which were encrypted with the same key. If the attacker knows the plaintext of one of them (may he has forced a message) he can easily decrypt the other [6]. The next higher layer of the Internet Model is the network layer which is presented next.

2.4 Network layer attacks

As mentioned in section 2.3 the network layer extends connectivity from neighbouring nodes to all other nodes of a network [13]. For correct communication over multi-hop links it is necessary that every node cooperates in this task. If a malicious node doesn’t cooperate it can lead to a corruption of the routing protocol. There are a lot of different attacks possible:

- Attacks at the routing discovery phase
- Routing table overflow attack
- Routing cache poisoning attack
- Attacks at the routing maintenance phase
- Attacks at data forwarding phase
- Attacks on particular routing protocols
- Others (Wormhole-, Blackhole-, Byzantine attack, …)

A detailed description of each of them can be found in [13]. Attacks which can occur on the transport layer are now explained in the next section.

2.5 Transport layer attacks

The main task of the transport layer is to set up an end-to-end connection and to guarantee a reliable delivery of packets over it, which includes flow control, congestion control and the clearing of the connection [13]. Compared with wired networks, wireless ad-hoc networks have a higher channel error rate. Following syn flooding and session hijacking are explained.

2.5.1 Syn flooding attack

Syn flooding is an attack which can be categorized under DoS attacks. For a better understanding of this attack it is necessary to know about the three-way-handshake.^[3]

Fig. 1: Three way handshake protocol

Figure 2 shows the flow of a three-way-handshake (3WHS). This protocol is used by TCP whenever a connection is established or teared down. First host A sends a SYN message to host B then host B acknowledge this message by a SYN-ACK message. Finally host A sends an acknowledge message ACK back to host B. Now both hosts can begin to communicate. When a connection is teared down the SYN message is replaced by a FIN message.

The syn flooding attack does nothing other than create a huge number of half opened TCP connections but never completes the handshake. That means that a malicious node sends a SYN request to a target node but never sends the ACK message back. Therefore the target node must maintain all requests until a buffer overflow occurs. To avoid those attacks a node could let the half opened connections expire, however the malicious node can continue sending SYN packets faster than the expiration happens.

2.5.2 Session hijacking

This attack uses the fact that most communications are protected at session setup but not thereafter. The attacker spoofs the victim’s IP address, determines the correct sequence number that is expected by the target and performs a DoS attack on the victim. Furthermore the attacker impersonates the victim and continues the session with the target [13]. The next section completes the presentation of attacks on layers of the Internet Model. This last layer is the application layer.

2.6 Application layer attacks

The application layer supports many protocols like http, SMTP, TELNET and FTP. Hence there are many targets for an attacker. Due to the fact that a user works mostly with applications, those attacks are noticed best by the user. Following two examples of attacks on this layer.

2.6.1 Malicious code attacks

These attacks include viruses, worms, spyware and Trojan horses. They can attack the operating system and user applications. Often they spread themselves through the network [13].

2.6.2 Repudiation attacks

Identity theft describes this attack. With repudiation attacks an adversary is able to deny an activity he did. So an adversary could login with his account and is able to change session parameters that another user is logged for his activities.

2.7 Multi-layer attacks

Some of the described attacks can perform on different layers (DoS, impersonation attacks, Man-in-the-middle attacks). [13] gives a more specific overview of this type of attacks. Section 2 will now close with the explanation of cryptographic attacks.

2.8 Cryptographic primitive attacks

Attacks in this form use the fact that a random number is only a pseudorandom number and often generated with statistical randomness [13]. Therefore they are not resistant against prediction by cryptanalysts. Another field of these attacks is hash collision, there an adversary tries to find two messages with the same hash value [13].

So far this paper explained different kind of attacks on different layers of the Internet Model. Following different Intrusion Detection Systems are explained whereas main focus lies on the architecture and the algorithms of them.

3 Cooperative Intrusion Detection System

This section describes the first of four, in this paper presented, approaches of IDS. Compared with the three others the cooperative system seems to be classical without special features.

[16] mentioned three important attributes an appropriate IDS should have. First a good system architecture must be found that fits the features of a wireless ad-hoc network. Second suitable audit data sources have to be defined. And last a good model of activities must be found that can separate anomaly when under attack from normalcy.

illustration not visible in this excerpt

Fig. 2: The IDS Architecture for Wireless Ad-Hoc Network, adapted from [16]

The general architecture of this IDS is shown in figure 2. IDS agents are placed on every node of the network and each agent runs independently and monitors local activities and is able to communicate activities in its communication range. If an intrusion is detected by a local agent the agent initiates response. In the case of anomaly detection in local data or if the evidence is inconclusive and a broader search is warranted, neighbouring IDS agents will cooperate in global intrusion detection actions. All nodes with their IDS agents together form a system wide IDS system of the wireless network [16]. In the next section the parts of an Intrusion Detection Agent are described.

3.1 Intrusion Detection System Agent

An IDS agent is attached on every node of the network. Such agent can be fairly complex [16] but after all it can be split into six main pieces. The next subsection will explain them.

illustration not visible in this excerpt

Fig. 3: A Conceptual Model for an IDS Agent, adapted from [16]

3.1.1 Local data collection

This module is responsible for gathering streams of real-time audit data from different sources. Those data streams can include system, user and communications activities. A node can include multiple data collection modules [16].

3.1.2 Local detection engine

The local detection engine analyzes local data traces for evidence of anomalies. The IDS agent should use statistical anomaly detection because updating a rule database across an ad-hoc network is not easy. Therefore an anomaly detection model is necessary [16]. This model can be built in following steps:

- Generating of normal profiles
- Generating of deviations from normal profiles
- Computing of detection model from deviation data

In the first step, normal profiles are computed by tracing data from a process where all activities are normal. Then some normal and abnormal activities are recorded. At least the detection model is computed from the deviation data to differ normalcy and anomalies.

3.1.3 Cooperative detection engine

Whenever any node detects an intrusion locally with strong evidence it can independently determine that the network is under attack. If a node detects an intrusion with weak evidence it can initiate a cooperative global intrusion detection procedure. A global intrusion detection is done by propagating the intrusion detection state to all neighbour nodes. An intrusion detection state information can look like this: “With p% confidence, node A concludes from its local data that there is an intrusion” [16].

illustration not visible in this excerpt

Fig. 4: Global intrusion detection procedure, adapted from [16]

After this propagation a distributed algorithm is used to compute a new intrusion detection state for a node, using other nodes information which can include weighted information. The weight of the component could be how far this node is located. Figure 4 shows the message exchange of a global intrusion detection procedure. In the first step the node which initiates the global intrusion detection sends to all neighbouring nodes an intrusion state request. Each node which receives this request (including the initiation node) propagates then the state information which indicates the probability of an intrusion to its neighbours. In step 3 every node determines if the received state report indicates an intrusion or anomaly. If this is the case, then the node concludes that the network is under attack [16]. Every node that detects an intrusion is then able to initiate a response procedure.

It is clear that the audit data of other nodes can not be trusted because it could be compromised and therefore should not be used. Therefore only the intrusion detection state is propagated because a compromised node will not send any report about an intrusion. Hence this scheme of this global intrusion detection works until the majority of nodes are compromised. If this is the case, an intrusion could be detected by strong evidence of a single node [16].

[...]

---

^[1] Wired Equivalent Privacy

^[2] Medium Access Control

^[3] Distributed Coordination Function

^[4] Advanced Encryption Standard