IoT 607: IoT Security IDS, IPS Raghudathesh G P

IoT 607: IoT Security

IDS, IPS:
Intrusion Detection Systems, Intrusion Prevention System (2 Hrs.)

BY:

P
RAGHUDATHESH G P
Asst Professor
Dept of ECE, GMIT

G
Davangere - 577004
Cell: +91 - 7411459249
Mail: datheshraghu@gmail.com

H
Website: raghudathesh.weebly.com
GitHub : https://github.com/dathu

ES
Youtube: dathu’s class

Quotes:
H
 We can make a million excuses or a million dollars.
 If our eyes are positive, We will love the world but If our tounge is positive the world
AT
will love us.
 Confidence is silent - Insecurities are loud.
 Time & good friends are two things that become more valuable the older we get.
D

 We get most things in life not by taking but by giving.

 The things we say about others - Say a lot about us.
U
H
G
RA

SOIS, Manipal raghudathesh.weebly.com Page - 1

 IoT 607: IoT Security IDS, IPS Raghudathesh G P

Intrusion Detection Systems:

 Intrusion Detection Systems (IDS) are devices or software applications that monitor
network or system activities for malicious activities or policy violations and send reports
to a management station.
 While anomaly detection and reporting is the primary function, some intrusion detection

P
systems are capable of taking actions when malicious activity or anomalous traffic is
detected, including blocking traffic sent from suspicious IP addresses.

G
 Capabilities of intrusion detection systems:
 Intrusion detection systems monitor network traffic in order to detect when an

H
intrusion is being carried out by unauthorized entities.
 IDS do this by providing some or all of these functions to security professionals:

ES
1. Monitoring the operation of routers, firewalls, key management servers
and files that are needed by other security controls aimed at detecting,
preventing or recovering from cyberattacks;
H
2. Providing administrators a way to tune, organize and understand relevant
operating system audit trails and other logs that are often otherwise
AT
difficult to track or parse;
3. Providing a user-friendly interface so non-expert staff members can assist
with managing system security;
D

4. Including an extensive attack signature database against which

U

information from the system can be matched;

5. Recognizing and reporting when the IDS detects that data files have been
H

altered;
6. Generating an alarm and notifying that security has been breached; and
G

7. Reacting to intruders by blocking them or blocking the server.

 An intrusion detection system may be implemented as a software application running on
RA

customer hardware, or as a network security appliance; cloud-based intrusion detection

systems are also available to protect data and systems in cloud deployments.

SOIS, Manipal raghudathesh.weebly.com Page - 2

 IoT 607: IoT Security IDS, IPS Raghudathesh G P

 Taxonomy of IDS for IoT

P
G
H
 Ids Placement Strategy:

ES
H
1. Distributed IDS Placement Strategy:
 In a distributed IDS placement, the IDS placed every physical object for
AT
detecting attacks.
 The main goal of these IDS is to decrease the number of matches needed
for detecting attacks.
D

 The main objective of these IDs to minimize the computational resources

needed for intrusion detection. These IDs also manage the node energy
U

and control the inbound and outbound traffic.

 If the IDS detect any attacks it broadcasts a message to alert all nodes.
H

2. Centralized IDS Placement Strategy:


G

In a centralized IDS placement, the IDS placed in a centralized component

used for analyzing the packets that pass through the border router between
RA

the physical and the network domain.

 This method is monitoring only the border router traffic.
 The IDS sensors in the Low power and Lossy Networks (LLN) were
responsible for sniffing the network traffic and sending this data to the
IDS analysis engine.

SOIS, Manipal raghudathesh.weebly.com Page - 3

 IoT 607: IoT Security IDS, IPS Raghudathesh G P

 The IDS dedicated host is wire connected to the IDS sensors, avoiding the
transmission of IDS data and network regular data in the same wireless
network. Therefore, if a DoS attack degrades the wireless transmission
quality, IDS data transmission would not be affected.
3. Hybrid Ids Placement:

P
 Hybrid IDS placement combines the concepts of centralized and
distributed placement to take advantage of their strong points and avoid

G
their drawbacks.
 The first approach for hybrid placement organizes the network into
clusters or regions, and only the main node of each cluster hosts an IDS

H
instance. Then, this node becomes responsible for monitoring the other

ES
nodes of its cluster.
 The hybrid placement IDSs may be designed to consume more resources
than distributed placement IDSs.

H
Selected nodes in the network host an IDS. These selected nodes
(watchdogs) aim to identify intrusions by eavesdropping the exchanged
AT
packets in their neighborhood. The watchdog decides whether a node is
compromised according to a set of rules. Each watchdog has a particular
set of rules because each component in the network might have a different
D

behavior.
 Ex: a border router usually experiences higher rates of messages than a
U

regular node. The advantage of this approach relies on allowing the

H

construction of a different set of rules for each area of the network.

G

 Types of IDS:
1. Signature Based Ids:
RA

 In signature-based approaches, IDSs detect attacks when system or

network behavior matches an attack signature stored in the IDS internal
databases.
 If any system or network activity matches with stored patterns/signatures,
then an alert will be triggered.

SOIS, Manipal raghudathesh.weebly.com Page - 4

 IoT 607: IoT Security IDS, IPS Raghudathesh G P

 Signature-based IDS that employs Artificial Immune System mechanisms.

Detectors with attack signatures were modeled as immune cells that can
classify datagrams as malicious (non-self element) or normal (self-
element). Moreover, detectors can evolve to adapt to new conditions in the
monitored environment.

P
2. Anomaly Based IDS:
 This technique is also known as event-based detection. This technique

G
identifies malicious activities by analyzing the event.
 Firstly, it defines the normal behavior of the network. Then, if any activity
differs from normal behavior then its mark as an intrusion.

H
 In this approach, a malicious node can be detected by matching the

ES
current protocol specification with previously defined protocol state. This
approach detects attacks more efficiently than Signature based IDS.
3. Specification Based IDS:

H
This technique is somewhat similar to anomaly detection technique. In this
technique, the normal behavior of the network is defined by manually, so
AT
it gives less incorrect positives rate.
 This technique attempts to extract best between signature-based and
anomaly based detection approaches by trying to clarify deviations from
D

normal behavioral patterns that are created neither by the training data nor
by the machine learning method.
U

 The development of attack or protocol specification is done by manually

H

so it takes more time. So, this can be a disadvantage of this approach.

4. Hybrid Approaches:
G

 Hybrid approaches use concepts of signature-based, specification-based

and anomaly based detection to maximize their advantages and minimize
RA

the impact of their drawbacks.

 Security Threats:
 The objective of this subsection is to discuss how different attack types have been
addressed in the IDS proposals for IoT. Enabling IoT solutions involves a

SOIS, Manipal raghudathesh.weebly.com Page - 5

 IoT 607: IoT Security IDS, IPS Raghudathesh G P

composition of several technologies, services, and standards, each one with its
security and privacy requirements.
 With this in mind, it is reasonable to assume that the IoT paradigm has at least the
same security issues as mobile communication networks (e.g., WSNs), cloud
services and the Internet.

P
 We shall assess the performance of their IDS with conventional attack scenarios
that included worm propagation, tunneling, SQL code injection, and directory

G
traversal attacks.
1. Sinkhole Attack:
 In this attack, malicious node attracts network traffic towards it. To launch

H
these types of attack, a malicious node attract all adjacent nodes to

ES
forward their packets through the malicious node by showing its routing
cost minimum.
 The attacker creates an attack by introducing false node inside a network.

H
R.Stephen proposed an Intrusion Detection System (IDS) to detect the
sinkhole attack in the network which uses the RPL as a routing protocol.
AT
The proposed algorithm uses the detection metrics such as number of
packets received and transmitted to validate the Intrusion Ratio (IR) by the
IDS agent.
D

 A technique is proposed to identify whether the router node is a malicious

node or not using the IR value. If IDS system detects the malicious node,
U

it sends the alert message to the leaf nodes to isolate the malicious node in
H

next data transmission. The aim of the proposed work is to minimize the
Intrusion Ratio.
G

2. Wormhole attack:
 In this attack, the adversary node creates a virtual tunnel between two
RA

ends. An adversary node acts as a forwarding node between two actual

nodes.
 The wormhole attack can also be used to convince two distinct nodes that
they are the neighbors by relaying packets between two of them.

SOIS, Manipal raghudathesh.weebly.com Page - 6

 IoT 607: IoT Security IDS, IPS Raghudathesh G P

 Pavan Pongle Gurunath Chavan proposed system is a novel intrusion

detection system for the IoT, which is capable of detecting Wormhole
attack and attacker.
 The proposed methods uses the location information of node and
neighbor information to identify the Wormhole attack and received signal

P
strength to identify attacker nodes.
 Design of such system will help in securing the IoT network and may

G
prevents such attacks.
 This method is very energy efficient and only takes fixed number of UDP
packets for attack detection, hence it is beneficial for resource constrained

H
environment.

ES
3. Selective Forwarding Attack:
 In this attack, malicious node acts as a normal node but it selectively drops
some packets.

H
Black hole attack is the simplest form of selective forwarding attack in
which all packets are dropped by the malicious node.
AT
 Shapla Khanam et.al propose a game - theory based attack model to
analyze the malicious behavior of attackers in the IoT networks.
 In this model two players are involved in the game where player_1 and
D

player_2 play to maximize and minimize the throughputs of the network

respectively. Additionally, a hop-by-hop acknowledgement (ACK)
U

algorithm is also presented detect malicious attacker in order to defend

H

networks from selective forwarding attacks in IoT.

4. Sybil Attack:
G

 In this attack, the node has multiple identities. The routing protocol,
detection algorithm and co-operation processes can be attacked by a
RA

malicious node.
 Kuan Zhang et.al defines three types Sybil attacks: SA-1, SA-2, and SA-3
according to the Sybil attacker’s capabilities and then present some Sybil
defense schemes, including social graph-based Sybil detection (SGSD),

SOIS, Manipal raghudathesh.weebly.com Page - 7

 IoT 607: IoT Security IDS, IPS Raghudathesh G P

behavior classification-based Sybil detection (BCSD), and mobile Sybil

detection with the comprehensive comparisons.
 Finally, they discuss the challenging research issues and future directions
for Sybil defense in IoT.
5. Denial Of Service (DOS) Attack:

P
 This attack can damage the availability of resources. When this attack is
made, resources are not available to legitimate users.

G
 Such type of attacks, when launched by various malicious nodes is called
DDoS. This attack may affect the network resources, bandwidth, CPU
time etc.

H


ES
Validation Strategy:
 A validation consists of checking that the built model behaves with satisfactory
accuracy within the study objectives.
H
 There are many validation techniques, and they may be distinguished by two
sources of information:
AT
a. Experts: the use of experts provides a subjective and often qualitative
model validation
b. Data: the use of data may allow a quantitative and more objective
D

validation
 The validation strategy employed in the intrusion detection methods for IoT
U

includes:
H

1. Hypothetical: Hypothetical examples, having unclear relation to actual

phenomena and degree of realism.
G

2. Empirical: Empirical methods, such as systematic experimental gathering

of data from operational settings.
RA

3. Simulation: Simulation methods of some IoT scenario.

4. Theoretical: Formal or precise theoretical arguments to support results.

SOIS, Manipal raghudathesh.weebly.com Page - 8

 IoT 607: IoT Security IDS, IPS Raghudathesh G P

Intrusion Prevention System:

 The term Intrusion Prevention Systems (IPS) is relatively new, often pushed by the
marketing departments to move the IDS manufactures away from the negative image of
Intrusion Detection Systems.
 They are essentially a combination of access control (firewall/router) and Intrusion

P
Detection Systems, this alliance coming naturally as both technologies often use shared
technologies.

G
 Predominantly an IPS is not only found on security appliances, such as certain firewalls,
but also on stand alone appliances delivered.


H
The idea to implement IPS here is driven by commercial as well as technical aspects. To-
date IPS have had the most success with ‘‘flood’’ (i.e. DoS) type attacks.

ES
 The devices often look like firewalls and often have some basic firewall functionality. But
firewalls block all traffic except that for which they have a reason to pass, whereas IPS
pass all traffic except that for which they have a reason to block.
H
 Definition: An IPS can be defined as an in-line product that focuses on identifying and
blocking malicious network activity in real time.
AT
 There are two categories:
1. Rate-based IPS:
 Rate-based Intrusion Prevention Systems block traffic based on network load.
D

 Ex.: too many packets, or too many connects, or too many errors.
U

 In the presence of too much of anything, a rate-based IPS kicks in and blocks,
throttles or otherwise mediates the traffic.
H

 Most useful rate-based IPS include a combination of powerful configuration

options with range of response technologies.
G

 E.x: limit queries to the DNS server to 1000 per second and/or offer other
simple rules covering bandwidth and connection limiting.
RA

 A rate-based Intrusion Prevention System can set a threshold of maximum

amount of traffic to be directed at a given port or service.
 If the threshold is exceeded, the IPS will block all further traffic of the source
IP only, still allowing other users (source IPs) to use that service.
2. Content-Based Products:

SOIS, Manipal raghudathesh.weebly.com Page - 9

 IoT 607: IoT Security IDS, IPS Raghudathesh G P

 Content-base Intrusion Prevention Systems block traffic based on attack

signatures and protocol anomalies; they are the natural evolution of the
Intrusion Detection Systems and firewalls.
 They block the following:
1. Worms e (e.g. Blaster and MyDoom) that match a signature can be

P
blocked.
2. Packets that do not comply with TCP/IP RFCs can be dropped.

G
3. Suspicious behavior such as port scanning triggers the IPS to block
future traffic from a single host.
 The best content-based IPS offer a range of techniques for identifying

H
malicious content and many options for how to handle the attacks, such as

ES
simply dropping bad packets to dropping future packets from the same
attacker, and advanced reporting and alerting strategies.
 As content-based IPS offer IDS-like technology for identifying threats and
H
blocking them, they can be used deep inside the network to complement
firewalls and provide security policy enforcement as they often require less
AT
manual maintenance and fine-tuning to perform a useful function than their
rate-based cousin.
D
U
H
G
RA

SOIS, Manipal raghudathesh.weebly.com Page - 10

 IoT 607: IoT Security IDS, IPS Raghudathesh G P

A Snap Shot of Top Industrial IDS and IPS Providers:

P
G
H
ES
H
AT
D
U
H
G
RA

SOIS, Manipal raghudathesh.weebly.com Page - 11

 IoT 607: IoT Security IDS, IPS Raghudathesh G P

Question Bank:

1. Explain Intrusion Detection Systems?

2. Intrusion Prevention System?

P
G
H
ES
H
AT
D
U
H
G
RA

SOIS, Manipal raghudathesh.weebly.com Page - 12