USING ATTACK GRAPHS IN AD HOC NETWORKS: For Intrusion Prediction Correlation and Detection

摘要

Ad hoc networks have lots of applications; However, a vital problem concerning their security aspects must be solved in order to realize these applications. Hence, there is a strong need for intrusion detection as a frontline security research area for ad hoc networks security. Among intrusion detection techniques, anomaly detection is advantageous since it does not need to store and regularly update profiles of known attacks. In addition the intrusion detection is not limited to the stored attack profiles, which allows the detection of new attacks. Therefore, anomaly detection is more suitable for the dynamic and limited resources nature of ad hoc networks. For appropriately constructed network models, attack graphs have shown their utility in organizing combinations of network attacks. In this paper, we suggest the use of attack graphs in ad hoc networks. As an example, we give an attack graph that we have created for the wormhole attack. For anomaly prediction, correlation, and detection in ad hoc networks, we suggest the use of two methods that rely basically on attack graphs. The first method is based on the attack graph adjacency matrix and helps in the prediction of a single or multiple step attack and in the categorization of intrusion alarms' relevance. The second method uses the attack graph distances for correlating intrusion events and building attack scenarios. Our approach is more appropriate to ad hoc networks' collaborative and dynamic nature, especially at the application level.