Final Report Summary - SECURINET (Security management in multi-radio networks)
The emergence of novel networking technologies ,e.g. Wi-Fi-enabled ad hoc networks, Radio frequency identification (RFID), 3G+, is driving the need for developing a solution that interconnects in a secure manner changing sets of clients and services. In order to ensure the desirable level of security, we aimed to provide a novel Multi-Radio enabled Distributed Security Operation Centre (MR-DSOC). This centre was intended to detect intrusions (e.g. intrusion targeting the routing protocol) in a distributed manner so as to prevent from a single point of failure and deal with the cooperative nature of nowadays networks.
As first steps towards this goal, attacks reported in the literature were surveyed and categorised relying on a representation / formalism that captures the complexity and temporal dependencies between each of the constituting sub-tasks. Based on these modelled attacks, we have further derived appropriate distributed intrusion detection which parses events as close as close as possible from the device that generates it so as to diminish the number of long distant communications. Based on the above parsed events, intrusion detection takes place.
This consists in analysing a sequence of events so as to identify a pattern that characterises an intrusion attempt. Such an intrusion system, qualified as a signature-based intrusion system, has been designed, developed and experimented in a Wi-Fi-enabled ad hoc network. In addition, this system is complemented with an anomaly detector that aims at finding patterns in the event which do not conform to the expected behaviour. For this purpose, Kohonen map, a powerful tool for automatically categorising a system activity, is used. In practice, the events provided by the monitored system are first pre-processed in order to train a Kohonen map which permits to define a region representing the normal behaviour of the observed subject. Based on the trained Kohonen map, any activity that does not scope with the defined normal behaviour is identified as an anomaly. Such a backend method does not necessitate amending the technical specification of the subject.
Meanwhile, it also permits to detect undiscovered attacks (i.e. anomalies that deviate from a normal behaviour) that are not yet reported on the literature. A prototype of an anomaly detection system has been developed, experimented (focusing on a spoofing attack) and validated on a RFID system. Experiments show that the time and memory related to the training phase and the anomaly detection together is minimal.
Overall, such a multi-radio enabled distributed security operation centre, integrating anomaly and intrusion detection as well as event aggregation capabilities, participates to getting less profitable for malicious intruders to gain unauthorised access to different personal or institution resources. From a sociological point of view, this project hence contributes in increasing the safety and the security by fighting against illegal intrusions.
As first steps towards this goal, attacks reported in the literature were surveyed and categorised relying on a representation / formalism that captures the complexity and temporal dependencies between each of the constituting sub-tasks. Based on these modelled attacks, we have further derived appropriate distributed intrusion detection which parses events as close as close as possible from the device that generates it so as to diminish the number of long distant communications. Based on the above parsed events, intrusion detection takes place.
This consists in analysing a sequence of events so as to identify a pattern that characterises an intrusion attempt. Such an intrusion system, qualified as a signature-based intrusion system, has been designed, developed and experimented in a Wi-Fi-enabled ad hoc network. In addition, this system is complemented with an anomaly detector that aims at finding patterns in the event which do not conform to the expected behaviour. For this purpose, Kohonen map, a powerful tool for automatically categorising a system activity, is used. In practice, the events provided by the monitored system are first pre-processed in order to train a Kohonen map which permits to define a region representing the normal behaviour of the observed subject. Based on the trained Kohonen map, any activity that does not scope with the defined normal behaviour is identified as an anomaly. Such a backend method does not necessitate amending the technical specification of the subject.
Meanwhile, it also permits to detect undiscovered attacks (i.e. anomalies that deviate from a normal behaviour) that are not yet reported on the literature. A prototype of an anomaly detection system has been developed, experimented (focusing on a spoofing attack) and validated on a RFID system. Experiments show that the time and memory related to the training phase and the anomaly detection together is minimal.
Overall, such a multi-radio enabled distributed security operation centre, integrating anomaly and intrusion detection as well as event aggregation capabilities, participates to getting less profitable for malicious intruders to gain unauthorised access to different personal or institution resources. From a sociological point of view, this project hence contributes in increasing the safety and the security by fighting against illegal intrusions.