Gautam Biswas (current director), all deans and administrative staff of the department for all their support. Playing badminton with all of you has been one of the most enriching experiences of my life.
Network Security
They require pure attack-free training data to develop the normal base profile of the network. ARP spoofing attack does not cause any change in the pattern of network communication.
Game Theory preliminaries
Alarms generated by the signature-based IDS are initially correlated with vulnerabilities in the Threat Profile to identify the potential true positive alarms. These alarms are then correlated with vulnerabilities in the SVS to determine the final TP alarms.
Game Theory based IDSs and their issues
An IDS framework based on Bayesian game theory for analyzing the interaction between malicious node (attacker) and IDS (defender) in Ad-hoc wireless networks is proposed in [27]. An IDS game theoretic framework that models the interaction between the service provider and the attacker as a zero-sum intrusion detection game is proposed in [29].
Game theory-based false alarm minimization scheme for signature based IDS 15
Consequently, the proposed framework significantly reduces the false alarm rate of the signature-based IDS, without degrading its overall detection rate. To address these issues, a new Bayesian game theory-based intrusion detection framework for MANET is proposed as a second contribution of the thesis.
A game theory-based multi layered IDS framework for VANET
Organization of Thesis
On the other hand, event-based IDSs can detect those known attacks for which attack signatures cannot be generated. Event-based IDSs use the difference in the sequence of events that occur under normal and compromised conditions to detect these known attacks.
IDS Taxonomy
Signature based IDS
Signature-based IDSs (also known as abuse-based IDSs) correlate the network's data traffic with a set of known attack signatures stored in their rule databases to detect network intrusions. Many signature-based detection systems use regular expressions for pattern matching and to identify different variations of the same attack.
Event based IDS
An event-based IDS detects an ARP spoofing attack by monitoring the sequence of data packet events. An event-based IDS essentially acts as a state evaluator and observes the sequence of events of data packets in the network to decide whether the observed progression of states corresponds to a normal scenario or an attack scenario.
Anomaly based IDS
Clustering is another major data mining technique that has been successfully applied to detect anomalies in network traffic [15] [48]. A machine learning-based anomaly detection system that uses a Bayesian network model to detect Distributed Denial of Service (DDoS) attacks is proposed in [20].
Issues with the existing IDS frameworks and motivation for thesis
Issues with the signature based IDSs
The severity of this issue can be gauged by the fact that sometimes up to 98% of alerts generated by signature-based IDSs are FP [58] [59]. Some of the alerts generated by signature-based IDS may not have valid reference numbers [64].
Issues with event based IDSs
However, the effectiveness of these schemes largely depends on the threshold values chosen to distinguish between the TP and FP alarms. On the other hand, setting a high threshold value decreases the detection rate, since most of the alarms corresponding to real attacks are dropped as FPs.
Issues with anomaly based IDSs
On the other hand, wireless networks such as Mobile Ad-hoc Networks (MANETs) and Wireless Senor Networks (WSNs) are usually energy and resource constrained. Therefore, IDS frameworks proposed for wireless networks must not generate large amounts of intrusion detection-related traffic.
Game Theory
- Prisoner’s dilemma
- Matching pennies
- Non cooperative games
- Cooperative games
- Cooperation enforcement games
In addition, there is a class of incomplete information game called Bayesian game in which each player has a belief value about a set of other players with a certain a priori probability distribution. Such imposed cooperative behavior may not be in the best interests of coalition actors.
Game theory-based IDS frameworks and their issues
A game theory-based intrusion detection framework to prevent Denial of Service (DoS) attacks in WSNs is proposed in [32]. Game theory-based IDS frameworks proposed for VANETs generate a significant volume of intrusion detection-related traffic.
Scope and contribution of thesis
Reducing the volume of IDS traffic: Wireless networks such as VANETs operate in a narrow-band wireless radio spectrum. The aforementioned non-cooperative game is then used to derive a probabilistic IDS monitoring strategy that significantly reduces the amount of IDS traffic injected into the vehicle network without degrading the overall performance of the IDS framework.
Conclusion
Although signature-based IDSs are effective at detecting a wide variety of network attacks, they are prone to high false alarm rates, where normal data traffic is misclassified as intrusion by the IDS. In general, improving the accuracy of the IDS by minimizing its FP alarm rate will also reduce its detection rate by increasing its overall FN rate.
Related Works
They showed that their proposed mechanism improves the overall performance of the signature-based IDS. The detailed description of the proposed false alarm minimization scheme is discussed in Section 3.3.
Proposed false alarm minimization scheme
- Network’s Threat profile
- Global Vector Table
- Intrusion detection game model to generate the Sensible Vulnerability
- Sensible Vulnerability Set
The SVS is a subset of the network threat profile and includes vulnerability sets with a high critical weight. Table 3.4 shows the payoff matrix of the attacker and the IDS (defender) interacting via the network vulnerabilityvi ∈Vi in the strategic form.
Performance Analysis
Analysis on the IDEVAL dataset
Therefore, the Nash equilibrium (NE) for the first case corresponds to the strategy combination, where both the defender and the attacker only defend and attack the vulnerabilities in the SVS with a certain probability distribution. For the second case, the SVS consists of the top 4 vulnerability sets from Table 3.5 with a critical weight between 0.70 and 1.0.
Analysis on the in-house testbed dataset
This implies that the proposed framework successfully filters out most of the FP alarms generated by Snorten. We compare the performance of the proposed false alarm minimization scheme with various other frameworks to validate its effectiveness.
Conclusion
As shown in the figure, mobile devices in MANET are connected to the access network (which provides various quality of service (QoS), multimedia and access to security applications) through an access router. Therefore, nodes in MANET must cooperate among themselves and adopt a distributed intrusion detection mechanism to address various security threats to their overall well-being.
Related Works
Summarizing our studies on related works, we found that most MANET IDS frameworks that are not based on game theory are computationally intensive. Furthermore, most game theory-based MANET IDS frameworks are static in nature, where players' strategies and services are fixed and repeated over a period of time.
Proposed MANET IDS Framework
Bayesian game model for proposed MANET IDS framework
If the Pi type is evil and plays its pure strategy attack, then the expected. However, when Pj plays his pure strategy Monitor, Pi's best response would be to play his pure strategy Not Attack.
Energy efficient MANET cluster leader node election mechanism
The primary objective of the leader node election mechanism is to select the nodeni with the least cost function value (Csti) as the cluster leader node. Finally, the node with the least cost function value is selected as the leader node by the algorithm.
Proposed Hybrid MANET IDS
Similarly, (1 - αL) and (1 - γL) represent the false negative (FN) rate and the true negative (TN) rate of the LIDs, respectively. Likewise, let αL and γL be the detection rate and FP rate, respectively, of the lightweight IDS.
Experimental Results
MANET leader election mechanism analysis
Malicious nodes avoid being selected as the leader node by exaggerating their cost function value. This shows that the normal nodes are often chosen as the leader node and die out faster as the number of selfish nodes increases in the cluster.
Hybrid MANET IDS analysis
The association rules derived from these traces are then used to construct the normal network profile. The ERO of the proposed IDS scheme is mainly due to the exchange of election messages during the election process of the leading nodes and the controlling nodes.
Conclusion
Security challenges in VANET
Therefore, any intrusion detection framework proposed for VANET must consider the following key issues. Therefore, any intrusion detection framework proposed for VANET must adopt an appropriate clustering algorithm to generate stable vehicle clusters to maintain network stability.
Related Works
REST-Net, a novel intrusion detection system for mitigating the authenticity and integrity problems in VANET, is proposed in [143]. We aim to address these issues in existing intrusion detection frameworks by proposing a game theory-based multi-layer intrusion detection framework for VANET.
Multi layered game theory-based hybrid intrusion detection framework
Attack types in VANET
Selective forwarding and black hole attacks: In the selective forwarding attack, the malicious vehicle selectively forwards data packets while dropping others. A malicious vehicle performing a DoS attack can be detected by calculating its Duplicate Packet Rate (DPR) and Packet Forwarding Rate (PFR) values.
Distributed cluster formation and CH election algorithms
In the proposed clustering algorithm, the vehicles can be in one of the following four states, namely Undecided (UD) state, Group Member (CM) state, Group Head (CH) state and Group Gateway (CG) state. In this subsection, we provide a detailed description about the PCH election process of the proposed clustering algorithm.
VCG mechanism based payment structure for CH
The value ofRth is set to one-fourth of the average reputation value of the agent nodes in the cluster. The primary objective of the proposed CH election mechanism is to choose the vehicle vi ∈ C with the lowest cost function value (Cstvi) as CH.
Agent node’s Local Intrusion Detection System (LIDS) module
The SCF table of the agent node also stores the identities of vehicles blacklisted by the RSU and CH. When the agent node detects that the CH is malicious, it reports to the RSU.
CH’s Cluster Intrusion Detection System (CIDS) module
The strategy space for the CH and the malicious vehicle are SD = {Monitor, Not Monitor} and SA = {Attack, Wait}, respectively. The malicious vehicle chooses to play its strategy Attack when UA(Attack) >UA(Wait), i.e. when the monitoring probability of CH (q) < (1−α−δ)α+β.
RSU’s Global Decision System (GDS) module
Therefore, the mixed strategy NE for the non-cooperative game between the malicious vehicle and CH corresponds to the strategy combination (p∗,q∗), wherep∗= (2+α+β+δ−γ)(β+δ ) andq∗= (1−α−δ)α+β is the probability that the malicious vehicle and the CH play their strategy AttackandMonitor, respectively. It can be observed that both the attack and surveillance probabilities of the malicious vehicle and CH are inversely proportional to the detection rate (α) of CH, i.e. p∗∝ α1 andq∗.
Experimental Results
Simulated vehicular network traffic
It can be observed from the figure that the DR of the proposed framework increases as the number of agent nodes per group increases. It can be observed from the figure that the FAR of the proposed framework increases with the increase in the number of agent nodes.
Real time vehicular network traffic
Conclusion
Scope of Future Work
