Project topics and materials
Get Complete Project Material File(s) Now! »
Intrusion Detection in Wireless Mesh Networks
The current IDS tools for wired networks cannot be directly applied to WMNs. Building IDS for inspecting the mesh network activity is not an easy task because of the intrinsic characteristics and physical restrictions of WMNs. However, an IDS for WMNs is essential to secure the network routing functionality and to cope with the limitations of cryptographic systems, then providing a second line of defense. Consequently, researchers have been working hard to develop new IDSs for WMNs or adapt the existing IDSs to suit the characteristics of WMNs. Most of the research in intrusion detection pertains to MANETs because WMN is a relatively recent development. Nonetheless, in principle, all of the intrusion detection approaches of MANETs can be applicable to WMNs.
There have been few signature-based detection approaches proposed for WMNs and little research on attack pattern matching techniques for this type of network. The constant need of updating the signature database is a difficult process in mesh network architectures and each node IDS signature database has to be individually updated each time. Attack databases cannot be easily updated without a central administration. Anomaly-based detection engines for WMNs rely on particular models of node expected behavior, that are mainly based on statistical approaches, and label those nodes that deviate from the behavior model as malicious nodes. However, there is no clear separation between normal and abnormal network activities in mobile wireless scenarios.
Since nodes can join or leave the network arbitrarily and communication links can be quite unreliable, e.g., with significant packet losses, then fluctuations on the transmission of routing information can be attributed to a malicious node, or a node that has a poor wireless connection, or a mobile node moving independently. As a consequence, the problem of false positives becomes worse for the IDS in this environment with different scenarios.
A number of specification-based intrusion detection approaches have been proposed to detect attacks against Ad hoc On-Demand Distance Vector (AODV) and Optimized Link State Routing Protocol (OLSR) traditional routing protocols. Tseng et al. [14] proposed the first specification-based intrusion detection approach for MANETs. The approach uses Finite State Machines (FSMs) for specifying the correct routing behavior of AODV.
Network Monitors (NMs), which are assumed to cover all nodes, employ these FSMs for detecting run-time violation of AODV operations, especially during the route discovery Chapter 2. Background and Related Work 17 process. NMs analyze request-reply flows, i.e., Route Request (RREQ) and Route Reply (RREP) messages, to identify attacks on AODV. NMs can ask neighbors about previous messages or other node information. However, the approach does not take into account natural packet loss present in wireless networks and cannot distinguish between lost messages and packets dropped on purpose. Moreover, some of the assumptions used in this work are not very realistic, e.g., MAC addresses and IP addresses of all nodes are registered in the NMs and remain unchanged, and MAC addresses cannot be forged. In addition, the approach requires adding additional field in the protocol original message RREQ to keep track of the RREQ path, which certainly will cause incompatibility issues with other nodes executing the unmodified routing protocol version.
Huang et al [15] propose to model AODV protocol behavior by decomposing it into normal basic events and modeling these events by using Extended Finite State Automaton (EFSA). The EFSA can detect anomalous basic events, such as fabrication of routing messages or modification of routing messages, which are direct violations of the protocol specification. They also use statistics on the states and transitions of EFSAs for building a detection model to identify anomalous basic events that are temporal and statistical in nature, i.e., not violate directly the specification, such as flooding of routing messages. The approach combines the advantages of specification-based and statistical-based intrusion detection. However, the protocol behavior is only analyzed from the point of view of a single node with no communication between neighboring nodes for sharing collected data/detection results, which makes the intrusion detection process inaccurate due to the distributed and cooperative nature of WMNs and the constant instability of wireless links. Orset et al. [16] provide a formal specification of correct behavior of OLSR protocol by applying Extended Finite State Machines (EFSM) in order to detect run-time violations of protocol implementation, i.e., some typical OLSR attacks and conformance anomalies. The approach is similar to EFSA-based detection approach and therefore it has the same limitations as it, i.e., the approach only monitors the correct behavior of each node separately and do not considers the point of view of neighboring nodes for cooperative detection of attacks. Moreover, the approach does not provide additional methods, for instance, statistical schemes, to circumvent the main limitation of specification-based IDS: detect attacks that do not immediately violate the protocol specification, e.g., message flooding attacks. In addition, building detailed formal specification for complex routing protocols can be a very time consuming job.
Our IDS approach is mainly based on specification-based intrusion detection since we specify Routing Constraints, which define the correct protocol behavior, so we can detect malicious behavior that violate these constraints. The reason for using Routing Constraints is they are optimized to cover the most common routing attacking methods of WMNs: message fabrication, packet dropping, and message flooding. However, we essentially rely on routing events, that are defined based upon the protocol specification, and are generated as a result of the analysis of each routing message. By making use of routing events together with Routing Constraints, we can identify most of attacks of WMNs in a reliable and collaborative way since routing events are analyzed in parallel by the node and its neighboring nodes to compute misbehaving metrics. Furthermore, we integrate a thresholdbased mechanism to distinguish between accidental packet loss of links and malicious packet dropping. Hence, our intrusion detection approach provides better detection accuracy with no false negatives while limiting the number of false positives. Moreover, the approach is able to identify any new attack that makes use of these common attacking methods without the need of updating the intrusion detection engine.
IDSs can also be classified according to the architecture employed for intrusion detection in the network environment as follows.
• Stand-alone IDS: In this architecture, the IDS is installed at each node and strictly utilizes node’s local audit data for detecting network intruders without collaborating with other nodes. Nevertheless, the fact that the IDS architecture relies exclusively on local audit data to recognize malicious behaviors the IDS performance is limited in respect of detection accuracy and type of attacks that the IDS is able to detect because of the distributed nature of WMNs. This architecture is more suitable for flat network infrastructure.
• Distributed and cooperative IDS: To resolve the problem of absence of a single point of traffic concentration in WMNs, where the IDS can be deployed for traffic analysis, distributed and cooperative IDS architecture is proposed. Similarly to stand-alone architecture, a IDS installed in each node processes node’s audit data locally but they also communicate with other nodes to exchange audit data and/or detection results, examine the neighbors behavior, make agreed decisions about inconclusive intrusion detection and suspected nodes, and provide responses to
attacks. This IDS architecture is more appropriate for flat networks.
Attacking Methods
The adversarial node utilizes specific attacking methods to achieve its objectives. The attacker goals are: (i) to disrupt the routing service by violating the integrity of routing tables of mesh nodes and also routing messages; (ii) to cause DoS on data delivery, i.e., disrupt the data forwarding service; and (iii) to violate the network service and nodes availability. We analyzed common attacking methods for routing protocols of WMNs and summarized them as four basic attacking methods.
1. Message Fabrication: The attacking node uses this method to illegally inject forged routing messages into the network in order to violate the routing table of target nodes and consequently the network routing functionality. Usually, the injected messages follow the routing protocol specification, i.e., the message content is legitimate and messages interval and sequence are respected. The consequences are redirection of routes, corruption of routing tables, routing loops, and impersonification/spoofing of nodes.
2. Packet Dropping: The malicious node drops selectively/randomly forwarded routing messages and/or received routing messages in order to violate the routing table of target nodes and the routing service. The consequences are isolation of nodes from rest of network, invalidation of routes, and selfish behavior of nodes not serving as relay point to other nodes, and therefore DoS on the transmission of routing packets.
Alternatively, the attacker can drop forwarded and/or received data packets to disrupt the integrity of data delivery service. For instance, in black hole attack, all data traffic is redirected to the malicious node i.e., the black hole, which do not forward any data traffic at all, then discarding all data packets. The consequence is obviously DoS on data delivery service for the affected nodes.
3. Message Flooding: This attacking method uses the same technique as messag fabrication but with some essential differences, which makes it much more aggressive. The fabricated messages, that are injected by one or more malicious nodes, can contain one or more different source addresses, which can be randomlygenerated, and the interval between each forged message is very short, e.g., some milliseconds. Therefore, the entire mesh network is flooded with an excessive
number of forged routing messages and/or data packets that violate the networkm availability and integrity of routing tables. The consequence of this attacking method is DoS on nodes, where a node is prevented from receiving and sending data packets to other nodes, overflow of routing tables, consumption of valuable network resources, congestion of communication channels, and sleep deprivation in case of reactive routing protocols.
Conclusion
The carried analysis reveals the most important strengths and weaknesses of current cooperative and distributed IDSs for ad-hoc networks. It is hard to judge which IDS approach is the best solution since none of them are complete and they primarily focus on addressing specific issues of wireless ad-hoc networks. A key point in the existing approaches is that they have been exclusively validated using simulation-based studies or theoretical models, then lacking experience in real WMNs. Simulation is useful to estimate the performance of intrusion detection engines, which are complex to implement as IDS tools and difficult to deploy at nodes in an ad-hoc network infrastructure. However, cannot fully represent the implementation details and performance requirements of the IDS capturing network traffic, analyzing the collected data, and exchanging intrusion detection information with neighboring nodes, all that at real-time in the mesh device with constrained hardware resources. As a result, these approaches can be shown to be unpractical in real WMN scenarios due to unforeseen factors.
Table of contents :
1 Introduction
1.1 Motivation
1.2 Contributions
1.3 Results
1.4 Organization of the Dissertation
2 Background and Related Work
2.1 Intrusion Detection
2.2 Intrusion Detection in Wireless Mesh Networks
2.3 Distributed and Cooperative Intrusion Detection
2.4 Conclusion
3 Attack Analysis
3.1 System Model
3.2 Attacker Model
3.2.1 Attacking Methods
3.3 BATMAN
3.3.1 Protocol Overview
3.3.2 Flooding Mechanism
3.3.3 BATMAN Advanced
3.4 Routing Manipulation Attack
3.4.1 Attack Methods
3.4.2 Example of Attack Scenario
3.4.3 Attack Model
3.5 Experiment and Results
3.5.1 Experiment Environment
3.5.2 Attack Implementation
3.5.3 Attack Emulation in Scenario 1
3.5.4 Attack Emulation in Scenario 2
3.6 Attack Detection
3.6.1 Results for Scenario 1
3.6.2 Results for Scenario 2
3.7 Conclusion
4 Distributed and Cooperative Intrusion Detection
4.1 System Model
4.2 Attacker Model
4.3 Distributed Intrusion Detection Architecture
4.3.1 Bro IDS
4.3.2 Routing Protocol Analyzer
4.3.3 Distributed Intrusion Detection Engine
4.3.4 Cooperative Consensus Mechanism
4.3.5 Response Mechanism
4.4 Threshold Approach
4.5 Distributed Detection of Message Fabrication Attacks
4.5.1 RPA: Routing Events
4.5.2 DIDE: Routing Constraints
4.5.3 DIDE: Misbehaving Metrics
4.5.4 CCM: Consensus Algorithm
4.6 Performance Evaluation
4.6.1 Experiment Platform
4.6.2 Defining the Threshold
4.6.3 Emulation of Message Fabrication Attack
4.6.4 Results
4.7 Performance Analysis
4.7.1 CPU and Memory Consumption
4.7.2 Communication Overhead
4.8 Discussion
4.8.1 Security
4.8.2 Complexity and Limitations
4.9 Conclusion
5 Distributed Detection of Packet Dropping Attacks
5.1 System Model
5.2 Attacker Model
5.3 Distributed Detection of Malicious Packet Dropping
5.3.1 Routing Protocol Analyzer
5.3.2 Distributed Intrusion Detection Engine
5.3.3 RPA: Routing Events
5.3.4 DIDE: Routing Constraints
5.3.5 DIDE: Misbehaving Metrics
5.4 Cooperative Consensus Mechanism
5.5 Performance Evaluation
5.5.1 Experiment Platform
5.5.2 Defining the Threshold
5.5.3 Emulation of Packet Dropping Attack
5.5.4 Results
5.6 Performance Analysis
5.6.1 CPU and Memory Consumption
5.6.2 Communication Overhead
5.7 Discussion
5.7.1 Security
5.7.2 Complexity and Limitations
5.8 Conclusion
6 Conclusion and Perspectives
6.1 Conclusion
6.2 Future work
References
