Intrusion Detection for Mobile Ad Hoc Networks
In the first phase of this project, the goal was to develop a detailed requirements analysis for the design of an intrusion detection architecture for tactical mobile ad hoc networks (MANETs). Technical challenges include developing effective and efficient intrusion detection in fully-mobile, ad hoc, self-configuring, multi-hop wireless networks with varying resources and limited bandwidth.
In the ongoing second phase of this project, we are developing specific intrusion detection algorithms for misbehavior in (i) specific routing protocols and (ii) auto-configuration protocols in the tactical MANET environment.
A detailed requirements analysis was derived from a comprehensive analysis of the challenges confronting intrusion detection technology in tactical wireless networks. This analysis includes a description of salient characteristics of tactical networks, a cyber threat model, key assumptions, and an attack matrix which provides a conceptual framework for relating attacks that present challenges in this domain to other better-known classes of attacks. Categories of challenges addressed include:
- New Manifestations of Conventional Attacks – Challenges arise from such MANET characteristics as the lack of persistent traffic concentration points at which network detectors can be placed, and the dynamic dispersion of attack packets and packet fragments.
- MANET-Specific Attacks – Additional challenges arise from a) the inherent characteristics of wireless communications and b) vulnerabilities in MANET infrastructure protocols. Specific vulnerabilities in AODV, OLSR, and other protocols are identified and analyzed.
- Distributed and Coordinated Detection – Other challenges result from the need to: utilize a large number of distributed sensors; position them optimally; collect data from them for detection and correlation without consuming significant network bandwidth; and address missing, conflicting, bogus, and overlapping data.
- Survivable and Dynamic Monitoring – Further challenges result from the mobility, intermittent connectivity, and other dynamic factors present in the tactical environment. They include the need to dynamically reassign monitoring, correlation, and intrusion detection management responsibilities to nodes as the topology evolves; to maintain availability and provide continuous coverage; and to address various risks that compromised nodes will be assigned responsibilities that enable them to subvert the architecture from within.
To address these challenges, an analysis of existing and proposed detection approaches was conducted and for each, the potential advantages, disadvantages, limitations, and tradeoffs involved in applying them to the tactical wireless domain are derived. This includes the application of promiscuous monitoring, cooperative detection, signature-based detection, specification-based detection, statistical anomaly detection, correlation-based detection, monitoring for structural anomalies in the network topology, as well as clustering, caching, and IDMEF for inter-component communication. In examining the various approaches, the analysis goes beyond the general issues relevant to tactical MANETs, and addresses the relevance to specific protocols such as AODV, OLSR and others.
We also propose a cooperative and distributed intrusion detection architecture for tactical wireless networks that is intended to address these requirements and that focuses on distributed detection, particularly of insider threats. This architecture leverages recently published research, and goes significantly beyond previously published results.
We will investigate the feasibility of detecting routing misbehavior by monitoring the routing topology for structural abnormalities and routing instabilities that are likely to have resulted from malicious manipulation of routing data. We will develop monitoring algorithms that will be based on a set of security specifications or constraints whose violations will describe security breaches in modifying/updating the routing tables. These specifications may then be used in building a formal framework for proving that, for a given set of assumptions, the algorithms will trigger an alarm whenever violations occur, regardless of the actual implementation. We will analyze the potential effectiveness of these algorithms for intrusion detection when applied by selected nodes independently, i.e., using only locally available information.
In addition, we will assist in the development of a partial set of security specifications for auto-configuration protocols developed for the tactical MANET environment. The specifications will be represented as extended finite state machines. Node behaviors that conflict with these security specifications will be treated as security violations, i.e., attempted intrusions. We will formulate a rigorous definition of specification completeness and use it to analyze the relative completeness of the set of specifications that we develop. For example, we may analyze the specifications in terms of the set of security properties they can guarantee. Specifically we will,
- develop a model for a security policy we wish to enforce with the monitored protocols;
- incorporate a formal description of the specification-based IDS that can be used in our formal verifications;
- develop a formal framework for proving that, for a given set of assumptions, the IDS will trigger an alarm whenever the policy is violated, regardless of the correctness of the protocol implementation; and
- investigate the development of a formal specification for use in composing systems such that the secure properties of individualcomponents are preserved.
last modified 6/1/04