CISIM 2010

Rituparna Chaki, Associate Professor

Keynote Title:
Intrusion Detection: Ad-hoc Networks to Ambient Intelligence Framework

A wireless adhoc network is made up of a multitude of nodes (mobile devices, sensors) communicating on a peer-to-peer basis. The main advantage lies in its ability to perform on a decentralized basis, without any base station. This makes the deployment of such networks easy in battle fields and places where confidentiality of the communication system is of topmost priority. However, the absence of centralized control makes it difficult to locate a moving destination node. The network becomes vulnerable to various threats from insiders such as unauthorized attempt to access and/or manipulate information. The attacks are potentially hazardous, and can even make the network performance go down dangerously. An attacker has the ability to listen to all network traffic, and even make changes causing serious damages to confidentiality. The lack of infrastructure causes tracking of the malicious node all the more difficult. Several different types of intrusions have been classified, ranging from violation of security constraints, denial of service, route tampering, etc [1]. Intrusion detection involves detection of malicious and selfish nodes and taking necessary actions against it. Intrusion detection is categorized into two different types, based on the techniques of detection. These are: (a) anomaly detection, (b) misuse detection. Anomaly detection involves detects an intrusion by checking the variance of system behavior against normal behavior. The determination of threshold values for normal behavior becomes very important in this type of detection. Misuse detection techniques treat attacks as variance of some pre-recorded patterns.
We have studied various intrusion detection systems and observed that there exists a fairly high possibility of false alarm generations. Many of the works have the tendency to stamp a fairly good node as malicious -never waiting to give it a second chance. Thus a node gets disconnected, making a prt of the network go down at times-resulting in further disruption in service. This prompted the development of IDSX [2], using a cluster based IDS that aimed to eliminate false alerts. IDSX can act as a high level mechanism to correlate alerts from multiple IDSs, acting individually on every node. This idea, however has its own shortfalls, as developing and maintaining a cluster in a mobile ad-hoc network can be very time consuming, thus affecting timely detection.
This led to the development of Honesty Rate Based Intrusion Detection System (HIDS) [3]. The proposed HIDS considered trust values of nodes as an important parameter. Every node was assigned an honesty rate initially. A dynamic set of nodes were chosen as monitoring nodes. The job of the monitors was to monitor the performance of each node, and update the trust values accordingly. The honesty rate was calculated as a function of the current honesty rate and the rewards and penalty points achieved by the node. If the honesty rate falls below a specified threshold, only then the node is branded as malicious. As the whole process of monitoring and decision making is done collaboratively, the chances of misjudgment are almost nullified.
One of the most basic forms of routing employed in MANET is AODV, where the route is generated at the start of communication. Each node has its own sequence number and this number increases when connections change. The latest route information is picked up by a node from the node with the highest sequence number. The dependency of AODV on sequence number makes it vulnerable to black hole attack [27]. A malicious node advertises itself as having a valid route to a destination node, which is a spurious one, with the intention of intercepting packets. When the data packets routed by the source node reach the black hole node, it drops the packets rather than forwarding them to the destination. The overall system performance drops to a dangerously low level. Thus the black hole attack needs extra care. BHIDS: A New Cluster Based Algorithm for Black Hole IDS [4] uses a two-layered cluster based approach to detect black hole attacks. The nodes belonging to the inner cluster collect raw data signifying any malicious activity. This data is sent to the inner layer cluster head. The cluster head has the final authority to declare a node as being involved in black hole attack. This information is then passed on to the outer layer cluster head. The two-layered architecture reduces processing overhead to a large extent.
Another common attack is the wormhole attack. Two nodes, located at different strategic positions in a network, overhear all packets, forward to each other, and replay the packets at the other end of the network. The nodes which are actually situated at great distances from one another tend to believe that they are closely located. All communications are forced to pass through the attackers, thus proving to be extremely dangerous for confidentiality.
A new cluster-based wormhole intrusion Detection algorithm for mobile ad-hoc Networks [5] employs a guard node between neighbor clusters at the internal level. If a source node S observes some malicious behavior when it sends packet to a specific node D, it informs the guard node. The guard node then checks how many packets have been actually received by the node D from S. The monitoring node takes this information to detect the occurrence of a wormhole attack. This logic has very little processing overhead.
The changing socio-economic scenario with high-tech buzz words like virtual reality, pervasive computing, augmented reality and ambient intelligent systems increases the challenge of making the software applications even more secure. One must remember that flexibility is like a double-edged sword. Applications like the ones being designed for ambient intelligent systems are not only to facilitate the intended end-user with more ease and convenience, but also leave themselves more available for the intruder. Besides, the increasing dependence on automation through such applications translates into lot more severe impact on individual and society for every undetected intrusion. In an ambient scenario, secure communication between a host of devices is necessary for protecting the privacy of the individuals involved [7] while maintaining the ease and availability to the end user. As the sensors play a vital role in this model, attempt of unauthorized access to information needs early detection. The timeliness of data delivery is of utmost importance in systems like healthcare [6]. Intrusion of any kind may result in data lost, tampering, etc, leading to a chaotic condition. Thus the focus of research is now on developing full-proof IDS for the AmI model.

[1] Ketan Nadkarni, Amitabh Mishra, "Intrusion detection in MANETs - the second wall of defense," IEEE IECON, 2003.
[2] Rituparna Chaki, Nabendu Chaki, "IDSX: A Cluster Based Collaborative Intrusion Detection Algorithm for Mobile Ad-Hoc Network," cisim, pp.179-184, 2007.
[3] Poly Sen, Nabendu Chaki, Rituparna Chaki, "HIDS: Honesty-Rate Based Collaborative Intrusion Detection System for Mobile Ad-Hoc Networks," cisim, pp.121-126, 2008.
[4] Debdutta Barman Roy, Rituparna Chaki, Nabendu Chaki, "BHIDS: a new, cluster based algorithm for black hole IDS", Security and Communication Networks, Volume 3 Issue 2-3, Pages 278 - 288.
[5] Debdutta Barman Roy, Rituparna Chaki, Nabendu Chaki, "A new cluster-based wormhole intrusion Detection algorithm for mobile ad-hoc Networks", International Journal of Network Security & Its Applications (IJNSA), Vol 1, No 1, April 2009.
[6] Linda Little, Pam Briggs, "Using AmI systems for exchanging health information: Considering trust and privacy issues", ESRC E-Society Conference, 2006.
[7] Eric J. Pauwels, Albert A. Salah, Romain Tavenard, "Sensor Networks for Ambient Intelligence", MMSP, 2007.