«Real-time Intrusion Detection for Ad hoc Networks Ioanna Stamouli A dissertation submitted to the University of Dublin, in partial fulfilment of the ...»
Real-time Intrusion Detection for Ad hoc Networks
A dissertation submitted to the University of Dublin, in partial fulfilment of
the requirements for the degree of Master of Science in Computer Science
September 12, 2003
I declare that the work described in this dissertation is, except
where otherwise stated, entirely my own work and has not been
submitted as an exercise for a degree at this or any other
Ioanna Stamouli September 12, 2003 ii Permission to lend and/or copy I agree that Trinity College Library may lend or copy this dissertation upon request.
Ioanna Stamouli September 12, 2003 iii Acknowledgements I would like to thank my supervisor, Mr. Hitesh Tewari, for all his guidance and assistance throughout the duration of this project. I would also like to thank my family who put me where I am today. Thanks and appreciation goes to my classmates for their continuous support throughout the year and for making me feel like home. Finally, I would like to thank Patroklos Argyroudis for his enlightening critique in many aspects of the project and for the essential comments concerning this document.
iv Abstract In the recent years, wireless technology has enjoyed a tremendous rise in popularity and usage opening new fields of applications in the domain of networking. One such field concerns mobile ad hoc networks (MANETs) where the participating nodes do not rely on any existing network infrastructure. By definition the nature of ad hoc networks is dynamically changing and they have a fully decentralised topology. Hence security is hard to achieve due to the dynamic nature of the relationships between the participating nodes as well as the vulnerabilities and limitations of the wireless transmissions medium.
The RIDAN system is a novel architecture that uses knowledge-based intrusion detection techniques to detect active attacks that an adversary can perform against the routing fabric of mobile ad hoc networks. Moreover, the system is designed to take countermeasures to minimise the effectiveness of an attack and keep the performance of the network within acceptable limits.
The novelty of the system lies in the usage of timed finite state machines that enable the real-time detection of active attacks.
The RIDAN system does not introduce any changes to the underlying routing protocol and operates as an intermediate component between the network traffic and the routing protocol.
The system was developed and tested to operate in AODV-enabled networks using the network simulator (ns-2). The simulator parameters that were used in the scenarios developed to evaluate the RIDAN system consider both the accuracy and the efficiency of the simulation. The system was evaluated using as main the metric the delivery ratio. Thus when the system is under the sequence number attack the delivery ratio drops to 38.3% while the RIDAN-enabled AODV increases its performance by 16.6%. When the network is under the resource consumption attack the delivery ratio of AODV drops to 42.6% and the RIDAN system improves it by 31.6%.
The final implemented attack is the dropping routing packets attack and when it is performed the delivery ration decreases to 23% while the RIDAN-enabled AODV manages to keep the network performance 13.8 % higher.
1.2 PROPOSED GOALS
1.3 DOCUMENT OVERVIEW
AD HOC NETWORKS
2.2 PROPERTIES OF AD HOC NETWORKS
2.3 COMPARISON WITH WIRED NETWORKS
2.4 AD HOC ROUTING PROTOCOLS
2.4.1 Properties of Ad hoc Routing Protocols
2.4.2 Table-driven Ad hoc Routing Protocols
184.108.40.206 Destination-Sequenced Distance-Vector (DSDV)
220.127.116.11 Optimised Link State Routing (OLSR)
2.4.3 On-demand Ad hoc Routing Protocols
18.104.22.168 Ad hoc On-demand Distance Vector (AODV)
22.214.171.124 Dynamic Source Routing (DSR)
2.4.5 AODV Operational Details
126.96.36.199 Route Discovery
188.8.131.52 Route Maintenance
SECURITY IN AD HOC NETWORKS
3.2 SECURITY GOALS
3.2 SECURITY CHALLENGES
3.3 ACTIVE ROUTING ATTACKS
3.4 SECURITY SCHEMES
3.4.1 Intrusion Detection
3.4.2 Secure Routing
4.2 INTRUSION DETECTION IN INFRASTRUCTURE NETWORKS
vi 4.2.1 Specification-based Anomaly Detection
4.2.2 Statistical Process Control for Computer Intrusion Detection
4.2.3 A New Intrusion Method based on Process Profiling
4.2.4. Real-Time Protocol Analysis for Detecting Link-State Routing Protocol Attacks..............28
4.3 INTRUSION DETECTION IN AD HOC NETWORKS
4.3.1 Watchdog and Pathrater
4.3.2 Security Enhancements in AODV
4.3.3 Context Aware Detection of Selfish Nodes in DSR
5.2 SYSTEM OVERVIEW
5.3 AODV ROUTING ATTACKS
5.3.1 Sequence Number Attack
5.3.2 Dropping Routing Traffic Attack
5.3.3 Resource Consumption Attack
5.4 MODELLING OF THE RIDAN INTRUSION DETECTION COMPONENT
5.4.1 Sequence Number Attack Detection
5.4.2 Dropping Routing Packets Attack Detection
5.4.3 Resource Consumption Attack Detection
6.2 THE NS-2 NETWORK SIMULATOR
6.3 IMPLEMENTATION OF THE SEQUENCE NUMBER ATTACK
6.3.1 Implementation of the Sequence Number Attack Detection
6.4 IMPLEMENTATION OF THE DROPPING ROUTING PACKETS ATTACK
6.4.1 Implementation of the Dropping Routing Packets Attack Detection
6.5 IMPLEMENTATION OF THE RESOURCE CONSUMPTION ATTACK
6.5.1 Implementation of the Resource Consumption Attack Detection
EVALUATION AND CONCLUSIONS
7.2 EXPERIMENTS AND MEASUREMENTS
7.3 EVALUATION OF THE SEQUENCE NUMBER ATTACK DETECTION
7.4 EVALUATION OF THE DROPPING ROUTING PACKETS ATTACK DETECTION
7.5 EVALUATION OF THE RESOURCE CONSUMPTION ATTACK DETECTION
7.6 ACCURACY OF THE RIDAN SYSTEM
7.7 CONCLUSIONS AND FURTHER WORK
FIGURE 2.1: AD HOC NETWORK EXAMPLE.
FIGURE 2.2: THE FORMAT OF ROUTE REQUEST PACKET.
FIGURE 2.3: PROPAGATION OF AN AODV RREQ AND ESTABLISHMENT OF THE REVERSE ROUTES.
........14 FIGURE 2.4: FORMAT OF A ROUTE REPLY (RREP) PACKET.
FIGURE 2.5: PROPAGATION OF A RREP MESSAGE FROM THE DESTINATION TO THE SOURCE NODE.
.........15 FIGURE 2.6: THE FORMAT OF THE ROUTE ERROR (RERR) MESSAGE
FIGURE 2.7: ROUTE MAINTENANCE.
FIGURE 5.8: HIGH-LEVEL ARCHITECTURE OF THE RIDAN LOGICAL COMPONENTS
FIGURE 5.9: EXAMPLE OF THE SEQUENCE NUMBER ATTACK
FIGURE 5.10: FIRST SEQUENCE NUMBER ATTACK DETECTION FSM.
FIGURE 5.11: SECOND SEQUENCE NUMBER ATTACK DETECTION FSM.
FIGURE 5.12: THIRD SEQUENCE NUMBER ATTACK FSM.
FIGURE 5.13: DROPPING ROUTING PACKETS ATTACK DETECTION FSM
FIGURE 5.14: RESOURCE CONSUMPTION ATTACK DETECTION FSM.
FIGURE 6.15: THE CLASS DIAGRAM OF THE SYSTEM. THE METHODS AND ATTRIBUTES OF THE AODVPUBLIC AGENT ARE OMITTED FOR READABILITY REASONS.
FIGURE 7.16: DELIVERY RATIO VERSUS NUMBER OF CONNECTION IN THE SEQUENCE NUMBER ATTACK. 62FIGURE 7.17: DELIVERY RATIO VERSUS NODE MOBILITY IN THE SEQUENCE NUMBER ATTACK................63
FIGURE 7.18: NUMBER OF FALSE REPLIES SENT BY THE MALICIOUS NODE VERSUS THE NUMBER OFCONNECTIONS.
FIGURE 7.19: NUMBER OF FALSE REPLIES SENT BY THE MALICIOUS NODE VERSUS NODE MOBILITY.
FIGURE 7.20: DELIVERY RATIO VERSUS NUMBER OF CONNECTION IN THE DROPPING ROUTING PACKETSATTACK.
FIGURE 7.21: DELIVERY RATION VERSUS NODE MOBILITY IN THE DROPPING ROUTING PACKETS ATTACK.
FIGURE 7.22: ROUTING OVERHEAD RATIO VERSUS NUMBER OF ACTIVE CONNECTIONS IN THE DROPPINGROUTING PACKETS ATTACK.
FIGURE 7.23: ROUTING OVERHEAD RATIO VERSUS NODE MOBILITY IN THE DROPPING ROUTING PACKETSATTACK.
FIGURE 7. 24: THE PERCENTAGE OF ADDITIONAL ROUTING TRAFFIC INTRODUCED WHEN THE NUMBER OFADDITIONAL PACKETS SENT BY THE MALICIOUS NODE INCREASES
FIGURE 7.25: DELIVERY RATIO VERSUS NUMBER OF CONNECTION IN THE RESOURCE CONSUMPTIONATTACK.
FIGURE 7.26: DELIVERY RATION VERSUS NODE MOBILITY IN THE RESOURCE CONSUMPTION ATTACK....70FIGURE 7.27: ROUTING PACKETS DROPPED RATIO VERSUS NUMBER OF CONNECTIONS.
FIGURE 7.28: ROUTING PACKETS DROPPED RATIO VERSUS NODE MOBILITY.
ixList of Tables
TABLE 6.1: DISTRIBUTION OF THE LOGICAL MODULES OF THE RIDAN SYSTEM IN THE METHODS OF THERIDAN-ENABLED AODV AGENT
TABLE 6.2: THE TCL FILES THAT WERE MODIFIED TO ADD THE NEW SEQAODV ROUTING AGENT.
.......46 TABLE 6.3: RECVREQUEST PSEUDOCODE.
TABLE 6.4: THE TCL FILES THAT WERE MODIFIED TO ADD THE NEW RIDANAODV ROUTING AGENT... 48
TABLE 6.5: PSEUDOCODE OF THE IMPLEMENTATION OF THE RIDAN DETECTION COMPONENT FOR THEFIRST FSM USED TO DETECT THE SEQUENCE NUMBER ATTACK.
TABLE 6.6: PSEUDOCODE OF THE IMPLEMENTATION OF THE RIDAN DETECTION COMPONENT FOR THESECOND FSM USED TO DETECT THE SEQUENCE NUMBER ATTACK.
TABLE 6.7: PSEUDOCODE OF THE IMPLEMENTATION OF THE RIDAN DETECTION COMPONENT FOR THETHIRD FSM USED TO DETECT THE SEQUENCE NUMBER ATTACK.
TABLE 6.8: THE TCL FILES THAT WERE MODIFIED TO ADD THE NEW DRPAODV ROUTING AGENT.
.......53 TABLE 6. 9: PSEUDOCODE OF THE IMPLEMENTATION OF THE DROPPING ROUTING PACKETS ATTACK......54 TABLE 6.10: CHANGES REQUIRED TO ENABLE AODV IN PROMISCUOUS MODE.
TABLE 6.11: PSEUDOCODE OF THE IMPLEMENTATION OF THE RIDAN DETECTION COMPONENT FOR THEFSM USED TO DETECT THE DROPPING ROUTING PACKETS ATTACK.
TABLE 6.12: THE TCL FILES THAT WERE MODIFIED TO ADD THE NEW RCAODV ROUTING AGENT.
TABLE 6.13: PSEUDOCODE OF THE IMPLEMENTATION OF THE RIDAN DETECTION COMPONENT FOR THEFSM USED TO DETECT THE RESOURCE CONSUMPTION ATTACK
TABLE 6.14: SIMULATION PARAMETERS.
1.1 Background In the recent years, wireless technology has enjoyed a tremendous rise in popularity and usage, thus opening new fields of applications in the domain of networking. One of the most important of these fields concerns mobile ad hoc networks (MANETs), where the participating nodes do not rely on any existing network infrastructure. A mobile ad hoc network is a collection of wireless nodes that can be rapidly deployed as a multi-hop packet radio network without the aid of any existing network infrastructure or centralized administration [CE89]. Therefore, the interconnections between nodes are capable of changing on continual and arbitrary basis. Nodes within each other's radio range communicate directly via wireless links, while those that are further apart use other nodes as relays.
Ad hoc networks have a wide array of military and commercial applications. They are ideal in situations where installing an infrastructure network is not possible or when the purpose of the network is too transient or even for the reason that the previous infrastructure network was destroyed.
Security in mobile ad hoc networks is a hard to achieve due to dynamically changing and fully decentralized topology as well as the vulnerabilities and limitations of wireless data transmissions. Existing solutions that are applied in wired networks can be used to obtain a certain level of security. Nonetheless, these solutions are not always be suitable to wireless networks. Therefore ad hoc networks have their own vulnerabilities that cannot be always tackled by these wired network security solutions [ACP+02].
One of the very distinct characteristics of MANETs is that all participating nodes have to be involved in the routing process. Traditional routing protocols designed for infrastructure networks cannot be applied in ad hoc networks, thus ad hoc routing protocols were designed to satisfy the needs of infrastructureless networks. Due to the different characteristics of wired and wireless media the task of providing seamless environments for wired and wireless networks is very complicated. One of the major factors is that the wireless medium is inherently less secure than their wired counterpart. Most traditional applications do not provide user level security schemes based on the fact that physical network wiring provides some level of security [Bha94].
The routing protocol sets the upper limit to security in any packet network. If routing can be misdirected, the entire network can be paralyzed [WLB03]. This problem is enlarged in ad hoc networks since routing usually needs to rely on the trustworthiness of all nodes that are participating in the routing process. An additional difficulty is that it is hard to distinguish compromised nodes from nodes that are suffering from broken links.