Rodrigo Daniel do Carmo
Abstract
This work focuses on network security and introduces an active-probing technique for intrusion detection in wireless multihop networks.
Wireless networks have been the revolution of personal communications of the past decades.
Millions of devices with wireless capabilities are sold to end customers every year: smartphones that enable access to the Internet almost everywhere, computers with wireless connections, personal watches, sports shoes, digital cameras, and even lenses with wireless capabilities. Today's communication capabilities are based on the concept of single hop networks. The future and vision of wireless communications is to let radio devices form multihop networks. Wireless multihop networks can be instrumental for several scenarios, such as search and rescue in disaster areas, thus potentially helping to save lives. Detecting attacks that can disrupt the network operation can be considered of utmost importance for many applications.
We found that the field of intrusion detection for wireless multihop networks is generally limited. Purely centralized intrusion detection systems are ill suited because wireless multihop networks miss a clear line of defense due to their distributed nature. The most studied approach to intrusion detection in wireless multihop networks is distributed intrusion detection, which consists of deploying detection sensors in all or part of the nodes of the network. Many different approaches following this distributed detection paradigm have been proposed in the literature, but there is still a lack of practical implementations. Some implemented systems showed that the overhead generated on the nodes is excessively high, which makes the distributed detection principle unsuitable for networks operating on resource-constraint devices. Moreover, passive eavesdropping of the wireless medium makes the detection of certain attacks difficult or impossible. Other proposed intrusion detection/mitigation systems require modifications to the base routing protocols in use, thus braking the compatibility with legacy systems.
In this dissertation we propose a novel approach to intrusion detection that overcomes the limitations of the existing approaches. Instead of deploying intrusion detection systems on the nodes of a wireless multihop networks, we propose deploying nodes into the network only for this purpose. The intrusion detection nodes are trustworthy, as well as less limited in resources (computing resources, energy resources, mobility). In contrast to distributed intrusion detection systems in the literature, the intrusion detection nodes in our scheme do not detect attacks locally but detect them by looking into the nodes of the network from the outside. To this end, we propose we propose employing an active-probing technique in this dissertation. It uses an approach similar to the classical ping or active fingerprinting, i.e., it works by sending testing packets to a host and recording/analyzing its reaction. In addition, if we let the intrusion detection node be mobile, it can move through the network and examine all its nodes. The innovation of our approach is that, in contrast to fingerprinting or classical active techniques, we propose an active technique not to identify or characterize nodes, but to determine if they work according to protocol specifications, as well as to detect malicious activities.
In this dissertation, we propose an active-probing technique for intrusion detection and show its conception, design and evaluation. While remaining general, we test our active-probing technique in an office wireless mesh testbed running the emerging mesh standard IEEE 802.11s. We perform a solid evaluation of the active probing and its parameters. For example, we show how transmitting replications of testing packets can be beneficial under different network conditions and keeps false positive rates below 1.3%. We show how our active-probing technique detects attacks such as selective dropping of packets, black hole and colluding misrelay attacks with detection rates above 90%.
We model a temporal-selective Bayes classifier to infer the state of a network node under test which is generally applicable to other systems. For our purpose, it classifies whether a node misbehaves based on the outcome of a set of active probes. We design a recursive probe selection scheme based on the current posterior of the Bayes classifier and a prediction step. This facilitates reducing the number of active probes while maximizing the insights gained by the set of probes executed.
We also show that other passive techniques can complement an active-probing-based intrusion detection system. We further propose a lightweight metric called neighbor variation rate for anomaly detection. We study how the neighborhood varies over time and we represent it with a quantitative measurable value. We create a detection model based on this metric and we apply it for anomaly/intrusion detection.
Last but not least, we provide the community with a modular implementation and documentation of our active intrusion detection system for wireless mesh networks as open source software available for free online.