Cooperative intrusion detection for software-defined resource-constrained networks.

Detalhes bibliográficos
Ano de defesa: 2021
Autor(a) principal: Nunez Segura, Gustavo Alonso
Orientador(a): Não Informado pela instituição
Banca de defesa: Não Informado pela instituição
Tipo de documento: Tese
Tipo de acesso: Acesso aberto
Idioma: eng
Instituição de defesa: Biblioteca Digitais de Teses e Dissertações da USP
Programa de Pós-Graduação: Não Informado pela instituição
Departamento: Não Informado pela instituição
País: Não Informado pela instituição
Palavras-chave em Português:
Ataques de negação de serviço
Codificação de programa
Denial of service attack
Detecção de intrusos
Internet das coisas
Intrusion detection
Redes de computadores
Sensor
Software-defined networking
Wireless sensor networks
Link de acesso: https://www.teses.usp.br/teses/disponiveis/3/3141/tde-22022022-093544/
Resumo: Software-defined networking (SDN) is a paradigm that was meant to improve networks programmability and management facilities. These benefits motivated its implementation in Low-power and Lossy Networks (LLNs), such as Internet of Things and wireless sensor networks, to address challenges considering flexibility and resource reuse. SDNbased networks are vulnerable to denial of service (DoS) and Distibuted DoS (DDoS) attacks, and this vulnerability is critical in resource-constrained networks. Analyzing the state of the art for SDN-based LLNs, we identified two main challenges: scalability and complexity. Proposals with high detection performance are mainly centralized and require communication resources that are not compatible with LLNs, such as out-of-band communication and constant monitoring in short periods, restricting scalability. There are also hybrid proposals that reduced packets traffic and the bottleneck effect. These works reported inferior performance than centralized approaches or required specific nodes with high capabilities inside the LLN to support the detection. To address this gap, we propose a cooperative intrusion detection strategy where all the nodes have active participation. We use centralized monitoring to detect anomalies in the network behavior, adjusting the communication frequency to the network size and communication resources. At the same time, every LLN node is monitoring its behavior using a higher sampling frequency to compensate the delay of the detection from the centralized information. The intrusion detection is based on anomaly detection using change-point analysis. The algorithm proposed is a modified version of state-of-the-art CUSUM algorithms and is so lightweight that it can run on TelosB motes requiring around 7.2 KB of memory space only. The cooperative intrusion detection was simulated on networks with 36, 100 and 225 nodes with only one controller. The results showed that by solving the complexity issues of the distributed detection we were able to improve scalability without reducing detection and network performance, obtaining detection accuracy comparable to high-traffic centralized approaches without the need of high capabilities devices. Moreover, the cooperation among the nodes allowed us to identify nodes launching the attack and the type of the attack with a probability exceeding 0.89.
id USP_1ddfba38369250bd22a6fce30312a8cf
oai_identifier_str oai:teses.usp.br:tde-22022022-093544
network_acronym_str USP
network_name_str Biblioteca Digital de Teses e Dissertações da USP
repository_id_str
spelling Cooperative intrusion detection for software-defined resource-constrained networks.Detecção cooperativa de intrusos para redes definidas por software com recursos limitados.Ataques de negação de serviçoCodificação de programaDenial of service attackDetecção de intrusosInternet das coisasIntrusion detectionRedes de computadoresSensorSoftware-defined networkingWireless sensor networksSoftware-defined networking (SDN) is a paradigm that was meant to improve networks programmability and management facilities. These benefits motivated its implementation in Low-power and Lossy Networks (LLNs), such as Internet of Things and wireless sensor networks, to address challenges considering flexibility and resource reuse. SDNbased networks are vulnerable to denial of service (DoS) and Distibuted DoS (DDoS) attacks, and this vulnerability is critical in resource-constrained networks. Analyzing the state of the art for SDN-based LLNs, we identified two main challenges: scalability and complexity. Proposals with high detection performance are mainly centralized and require communication resources that are not compatible with LLNs, such as out-of-band communication and constant monitoring in short periods, restricting scalability. There are also hybrid proposals that reduced packets traffic and the bottleneck effect. These works reported inferior performance than centralized approaches or required specific nodes with high capabilities inside the LLN to support the detection. To address this gap, we propose a cooperative intrusion detection strategy where all the nodes have active participation. We use centralized monitoring to detect anomalies in the network behavior, adjusting the communication frequency to the network size and communication resources. At the same time, every LLN node is monitoring its behavior using a higher sampling frequency to compensate the delay of the detection from the centralized information. The intrusion detection is based on anomaly detection using change-point analysis. The algorithm proposed is a modified version of state-of-the-art CUSUM algorithms and is so lightweight that it can run on TelosB motes requiring around 7.2 KB of memory space only. The cooperative intrusion detection was simulated on networks with 36, 100 and 225 nodes with only one controller. The results showed that by solving the complexity issues of the distributed detection we were able to improve scalability without reducing detection and network performance, obtaining detection accuracy comparable to high-traffic centralized approaches without the need of high capabilities devices. Moreover, the cooperation among the nodes allowed us to identify nodes launching the attack and the type of the attack with a probability exceeding 0.89.Redes definidas por software são um paradigma que foi projetado para melhorar a programabilidade e o gerenciamento de redes. Os benefícios deste paradigma motivaram sua implementação em redes de sensores sem fio e aplicações da Internet das coisas, para abordar desafios relacionados a flexibilidade e reutilização de recursos. As redes definidas por software são vulneráveis a ataques de negação de serviço, e esta vulnerabilidade se torna crítica em redes com recursos limitados. Analisando o estado da arte, dois desafios principais foram identificados: escalabilidade e complexidade. Propostas com alto desempenho de detecção são em sua maioria abordagens centralizadas e precisam de recursos de comunicação incompatíveis com as limitações das redes de sensores. Por exemplo, precisam de canais dedicados de comunicação para pacotes de controle e monitoramento constante em períodos curtos de tempo, o qual limita a escalabilidade das soluções. Existem propostas híbridas que reduzem o tráfego de pacotes e o gargalo das propostas centralizadas. Porém, estes trabalhos tem um desempenho menor que os centralizados ou precisam de dispositivos com características diferenciadas para aumentar o seu desempenho. Para abordar este desafio, foi projetada uma estratégia cooperativa de detecção de intrusos, onde todos os nós da rede participam ativamente. A proposta é composta por um detector de anomalias centralizado, mas ajustando os recursos de comunicação de acordo com as características da rede. De forma paralela, todos os nós da rede estão monitorando seu próprio comportamento usando uma frequência de amostragem maior que a abordagem centralizada, para compensar o atraso na detecção. A detecção de intrusos é baseada na detecção de anomalias usando change point análise. A proposta é uma versão modificada de algoritmos de soma cumulativa modernos e é tão leve que roda em dispositivos TelosB, ocupando ao redor de 7.2 KB de memória. A proposta cooperativa foi simulada em redes com 36, 100 e 225 nós com um controlador só. Os resultados mostraram que, resolvendo o problema de complexidade na detecção distribuída é possível melhorar o desempenho na detecção sem reduzir o desempenho da rede quando o seu tamanho aumenta, tratando o aspecto da escalabilidade. A acurácia da detecção é comparável com outras propostas centralizadas que precisam de altas taxas de tráfego de pacotes ou dispositivos com características diferenciadas. Ainda, o sistema cooperativo permitiu a identificação de atacantes e tipo de ataque com probabilidades acima de 0.89.Biblioteca Digitais de Teses e Dissertações da USPChorti, ArseniaMargi, Cíntia BorgesNunez Segura, Gustavo Alonso 2021-12-15info:eu-repo/semantics/publishedVersioninfo:eu-repo/semantics/doctoralThesisapplication/pdfhttps://www.teses.usp.br/teses/disponiveis/3/3141/tde-22022022-093544/reponame:Biblioteca Digital de Teses e Dissertações da USPinstname:Universidade de São Paulo (USP)instacron:USPLiberar o conteúdo para acesso público.info:eu-repo/semantics/openAccesseng2024-10-09T12:45:07Zoai:teses.usp.br:tde-22022022-093544Biblioteca Digital de Teses e Dissertaçõeshttp://www.teses.usp.br/PUBhttp://www.teses.usp.br/cgi-bin/mtd2br.plvirginia@if.usp.br|| atendimento@aguia.usp.br||virginia@if.usp.bropendoar:27212024-10-09T12:45:07Biblioteca Digital de Teses e Dissertações da USP - Universidade de São Paulo (USP)false
dc.title.none.fl_str_mv Cooperative intrusion detection for software-defined resource-constrained networks.
Detecção cooperativa de intrusos para redes definidas por software com recursos limitados.
title Cooperative intrusion detection for software-defined resource-constrained networks.
spellingShingle Cooperative intrusion detection for software-defined resource-constrained networks.
Nunez Segura, Gustavo Alonso
Ataques de negação de serviço
Codificação de programa
Denial of service attack
Detecção de intrusos
Internet das coisas
Intrusion detection
Redes de computadores
Sensor
Software-defined networking
Wireless sensor networks
title_short Cooperative intrusion detection for software-defined resource-constrained networks.
title_full Cooperative intrusion detection for software-defined resource-constrained networks.
title_fullStr Cooperative intrusion detection for software-defined resource-constrained networks.
title_full_unstemmed Cooperative intrusion detection for software-defined resource-constrained networks.
title_sort Cooperative intrusion detection for software-defined resource-constrained networks.
author Nunez Segura, Gustavo Alonso
author_facet Nunez Segura, Gustavo Alonso
author_role author
dc.contributor.none.fl_str_mv Chorti, Arsenia
Margi, Cíntia Borges
dc.contributor.author.fl_str_mv Nunez Segura, Gustavo Alonso
dc.subject.por.fl_str_mv Ataques de negação de serviço
Codificação de programa
Denial of service attack
Detecção de intrusos
Internet das coisas
Intrusion detection
Redes de computadores
Sensor
Software-defined networking
Wireless sensor networks
topic Ataques de negação de serviço
Codificação de programa
Denial of service attack
Detecção de intrusos
Internet das coisas
Intrusion detection
Redes de computadores
Sensor
Software-defined networking
Wireless sensor networks
description Software-defined networking (SDN) is a paradigm that was meant to improve networks programmability and management facilities. These benefits motivated its implementation in Low-power and Lossy Networks (LLNs), such as Internet of Things and wireless sensor networks, to address challenges considering flexibility and resource reuse. SDNbased networks are vulnerable to denial of service (DoS) and Distibuted DoS (DDoS) attacks, and this vulnerability is critical in resource-constrained networks. Analyzing the state of the art for SDN-based LLNs, we identified two main challenges: scalability and complexity. Proposals with high detection performance are mainly centralized and require communication resources that are not compatible with LLNs, such as out-of-band communication and constant monitoring in short periods, restricting scalability. There are also hybrid proposals that reduced packets traffic and the bottleneck effect. These works reported inferior performance than centralized approaches or required specific nodes with high capabilities inside the LLN to support the detection. To address this gap, we propose a cooperative intrusion detection strategy where all the nodes have active participation. We use centralized monitoring to detect anomalies in the network behavior, adjusting the communication frequency to the network size and communication resources. At the same time, every LLN node is monitoring its behavior using a higher sampling frequency to compensate the delay of the detection from the centralized information. The intrusion detection is based on anomaly detection using change-point analysis. The algorithm proposed is a modified version of state-of-the-art CUSUM algorithms and is so lightweight that it can run on TelosB motes requiring around 7.2 KB of memory space only. The cooperative intrusion detection was simulated on networks with 36, 100 and 225 nodes with only one controller. The results showed that by solving the complexity issues of the distributed detection we were able to improve scalability without reducing detection and network performance, obtaining detection accuracy comparable to high-traffic centralized approaches without the need of high capabilities devices. Moreover, the cooperation among the nodes allowed us to identify nodes launching the attack and the type of the attack with a probability exceeding 0.89.
publishDate 2021
dc.date.none.fl_str_mv 2021-12-15
dc.type.status.fl_str_mv info:eu-repo/semantics/publishedVersion
dc.type.driver.fl_str_mv info:eu-repo/semantics/doctoralThesis
format doctoralThesis
status_str publishedVersion
dc.identifier.uri.fl_str_mv https://www.teses.usp.br/teses/disponiveis/3/3141/tde-22022022-093544/
url https://www.teses.usp.br/teses/disponiveis/3/3141/tde-22022022-093544/
dc.language.iso.fl_str_mv eng
language eng
dc.relation.none.fl_str_mv
dc.rights.driver.fl_str_mv Liberar o conteúdo para acesso público.
info:eu-repo/semantics/openAccess
rights_invalid_str_mv Liberar o conteúdo para acesso público.
eu_rights_str_mv openAccess
dc.format.none.fl_str_mv application/pdf
dc.coverage.none.fl_str_mv
dc.publisher.none.fl_str_mv Biblioteca Digitais de Teses e Dissertações da USP
publisher.none.fl_str_mv Biblioteca Digitais de Teses e Dissertações da USP
dc.source.none.fl_str_mv
reponame:Biblioteca Digital de Teses e Dissertações da USP
instname:Universidade de São Paulo (USP)
instacron:USP
instname_str Universidade de São Paulo (USP)
instacron_str USP
institution USP
reponame_str Biblioteca Digital de Teses e Dissertações da USP
collection Biblioteca Digital de Teses e Dissertações da USP
repository.name.fl_str_mv Biblioteca Digital de Teses e Dissertações da USP - Universidade de São Paulo (USP)
repository.mail.fl_str_mv virginia@if.usp.br|| atendimento@aguia.usp.br||virginia@if.usp.br
_version_ 1865491628192432128

Registros relacionados