Intrusion Detection System Resiliency to Byzantine Attacks: The Case Study of Wormholes in OLSR

In this paper we extend the work presented in [1], [2] by quantifying the effects of in-band wormhole attacks on Intrusion Detection Systems. More specifically, we propose a mathematical framework for obtaining performance bounds of Byzantine attackers and the Intrusion Detection System (IDS) in terms of detection delay. We formulate the problem of distributed collaborative defense against coordinated attacks in MANET as a dynamic game problem. In our formulation we have on the one hand a group of attackers that observe what is going on in the network and coordinate their attack in an adaptive manner. On the other side, we have a group of defending nodes (the IDS nodes) that collaboratively observe the network and coordinate their actions against the attackers. Using extensions of the game theoretic framework of [3] we provide a mathematical framework for efficient identification of the worst attacks and damages that the attackers can achieve, as well as the best response of the defenders. This approach leads to quantifying resiliency of the routing-attack IDS with respect to Byzantine attacks

Data analytics methods for attack detection and localization in wireless networks

Wireless ad hoc network operates without any fixed infrastructure and centralized administration. It is a group of wirelessly connected nodes having the capability to work as host and router. Due to its features of open communication medium, dynamic changing topology, and cooperative algorithm, security is the primary concern when designing wireless networks. Compared to the traditional wired network, a clean division of layers may be sacrificed for performance in wireless ad hoc networks. As a result, they are vulnerable to various types of attacks at different layers of the protocol stack. In this paper, I present real-time series data analysis solutions to detect various attacks including in- band wormholes attack in the network layer, various MAC layer misbehaviors, and jamming attack in the physical layer. And, I also investigate the problem of node localization in wireless and sensor networks, where a total of n anchor nodes are used to determine the locations of other nodes based on the received signal strengths. A range-based machine learning algorithm is developed to tackle the challenges --Abstract, page iii

Detecting wormhole and Byzantine attacks in mobile ad hoc networks

The recent advancements in the wireless technology and their wide-spread utilization have made tremendous enhancements in productivity in the corporate and industrial sectors. However, these recent progresses have also introduced new security vulnerabilities. Since the wireless shared medium is completely exposed to outsiders, it is susceptible to attacks that could target any of the OSI layers in the network stack. For example, jamming of the physical layer, disruption of the medium access control (MAC) layer coordination packets, attacks against the routing infrastructure, targeted attacks on the transport protocol, or even attacks intended to disrupt specific applications. Unfortunately, the effects of applying the security techniques used in wired networks, such as access control and authentication, to wireless and mobile networks have been unsatisfactory due the unique features of such networks. As a result, achieving security goals for mobile ad hoc networks (MANET) has gained significant attention in recent years. Many critical applications of MANET, such as emergency rescue operations, military tactical communication, and business operations like mining and oil drilling platforms, require a friendly and cooperative environment.The aim of this study is to design detection mechanisms for traditional wormhole and Byzantine wormhole attacks by using the topological comparison and round trip time (RTT) measurements. The first step for detecting traditional wormhole attack is that an initiator of the detection process populates its one-hop neighbor list, and also calculates the average round trip time (RTTavg). Meanwhile, a list of suspected neighbors is generated on the basis of RTTavg and RTT. Then, topological information is exchanged between the initiator and all the suspected neighbors to detect the presence of a wormhole link.In this thesis, we also focus on detecting Byzantine wormhole attack in MANET. In the case of detecting such attacks, the initiator creates its one hop neighbor list and calculates the average RTTavg. The initiator also generates a suspected list of its three hop neighbors. In the next phase, the initiator exchanges topological information with all the one hop neighbors to detect the presence of any Byzantine wormhole tunnel. One of the major concerns for the topological comparison based approach is to give the initially suspected nodes a second chance to prove their reliability by exchanging topological information.We have implemented the detection algorithms in ad hoc on demand distance vector (AODV) and optimized link state routing (OLSR) routing protocols. Then, performance evaluation of the proposed detection mechanisms is conducted. We also compared our proposed detection methods with some of the existing detection methods by simulation. The results show that our schemes can achieve better detection performance

Protocols for Detection and Removal of Wormholes for Secure Routing and Neighborhood Creation in Wireless Ad Hoc Networks

Wireless ad hoc networks are suitable and sometimes the only solution for several applications. Many applications, particularly those in military and critical civilian domains (such as battlefield surveillance and emergency rescue) require that ad hoc networks be secure and stable. In fact, security is one of the main barriers to the extensive use of ad hoc networks in many operations. The primary objective of this dissertation is to propose protocols which will protect ad hoc networks from wormhole attacks - one of the most devastating security attacks - and to improve network stability. Protocols that depend solely on cryptography techniques such as authentication and encryption can prevent/detect several types of security attacks; however, they will not be able to detect or prevent a wormhole attack. This attack on routing in ad hoc networks is also considered to be the main threat against neighborhood discovery protocols. Most of the proposed mechanisms designed to defend against this type of attack are based on location information or time measurements, or require additional hardware or a central entity. Other protocols that relied on connectivity or neighborhood information cannot successfully detect all of the various types and cases of wormhole attacks. In the first part of this dissertation, we present a simple, yet effective protocol to detect wormhole attacks along routes in ad hoc networks. The protocol is evaluated using analysis and simulations. In the second part, we present a secure neighbor creation protocol that can securely discover the neighbors of a node in ad hoc networks, and detect and remove wormhole links, if they exist. The proposed protocols do not require any location information, time synchronization, or special hardware to detect wormhole attacks. To the best of our knowledge, this is the first protocol that makes use of cooperation rules between honest nodes. Use of such rules will reduce the overhead associated with the number of checks to be performed in order to detect wormholes and to create a secure neighborhood. This is also the first protocol, to our knowledge, that addresses the complete removal of bogus links without removing legal links