Intrusion Detection for Mobile Ad Hoc Networks

Research Goals

In the first phase of this project, the goal was to develop a detailed requirements analysis for the design of an intrusion detection architecture for tactical mobile ad hoc networks (MANETs). Technical challenges include developing effective and efficient intrusion detection in fully-mobile, ad hoc, self-configuring, multi-hop wireless networks with varying resources and limited bandwidth.
In the ongoing second phase of this project, we are developing specific intrusion detection algorithms for misbehavior in (i) specific routing protocols and (ii) auto-configuration protocols in the tactical MANET environment.


Phase 1:
A detailed requirements analysis was derived from a comprehensive analysis of the challenges confronting intrusion detection technology in tactical wireless networks. This analysis includes a description of salient characteristics of tactical networks, a cyber threat model, key assumptions, and an attack matrix which provides a conceptual framework for relating attacks that present challenges in this domain to other better-known classes of attacks. Categories of challenges addressed include:

To address these challenges, an analysis of existing and proposed detection approaches was conducted and for each, the potential advantages, disadvantages, limitations, and tradeoffs involved in applying them to the tactical wireless domain are derived. This includes the application of promiscuous monitoring, cooperative detection, signature-based detection, specification-based detection, statistical anomaly detection, correlation-based detection, monitoring for structural anomalies in the network topology, as well as clustering, caching, and IDMEF for inter-component communication. In examining the various approaches, the analysis goes beyond the general issues relevant to tactical MANETs, and addresses the relevance to specific protocols such as AODV, OLSR and others.

We also propose a cooperative and distributed intrusion detection architecture for tactical wireless networks that is intended to address these requirements and that focuses on distributed detection, particularly of insider threats. This architecture leverages recently published research, and goes significantly beyond previously published results.

Phase 2:
We will investigate the feasibility of detecting routing misbehavior by monitoring the routing topology for structural abnormalities and routing instabilities that are likely to have resulted from malicious manipulation of routing data. We will develop monitoring algorithms that will be based on a set of security specifications or constraints whose violations will describe security breaches in modifying/updating the routing tables. These specifications may then be used in building a formal framework for proving that, for a given set of assumptions, the algorithms will trigger an alarm whenever violations occur, regardless of the actual implementation. We will analyze the potential effectiveness of these algorithms for intrusion detection when applied by selected nodes independently, i.e., using only locally available information.

In addition, we will assist in the development of a partial set of security specifications for auto-configuration protocols developed for the tactical MANET environment. The specifications will be represented as extended finite state machines. Node behaviors that conflict with these security specifications will be treated as security violations, i.e., attempted intrusions. We will formulate a rigorous definition of specification completeness and use it to analyze the relative completeness of the set of specifications that we develop. For example, we may analyze the specifications in terms of the set of security properties they can guarantee. Specifically we will,

  1. develop a model for a security policy we wish to enforce with the monitored protocols;
  2. incorporate a formal description of the specification-based IDS that can be used in our formal verifications;
  3. develop a formal framework for proving that, for a given set of assumptions, the IDS will trigger an alarm whenever the policy is violated, regardless of the correctness of the protocol implementation; and
  4. investigate the development of a formal specification for use in composing systems such that the secure properties of individualcomponents are preserved.



Telcordia Technologies

Contact person:
Karl Levitt

last modified 6/1/04