| Many insider attacks, such as certain forms of packet dropping, malicious routing updates, and wormholes, can only be detected using distributed and cooperative algorithms. A promising approach for such Intrusion Detection (ID) is to divide the network into a hierarchy, exploiting data aggregation and local decision making whenever possible. Each node gathers ID data, including alerts, and reports these to its parent in the hierarchy. A parent consolidates ID data from its children before making local decisions and/or forwarding aggregated information up to its own parent, until it reaches a root node. The root node can also disseminate ID information down the hierarchy. A key challenge is to select and maintain a scalable and robust hierarchy that optimizes detection performance (e.g., latency, coverage, and false alarm rate) with minimal cost (e.g., processing and bandwidth). Existing approaches to constructing a hierarchy, such as using flooding to construct a Breadth First Search Tree, are simple, scalable and robust; however, their performance and cost can be undesirable. Moreover, mobility can produce major changes in the hierarchy, leading to further degradation in performance and increased cost. The main contributions of this paper are to: a) model and analyze performance and costs of different ID hierarchies, b) represent the performance and costs of the ID hierarchy in formal objective functions and constraints, and c) gives simulation results using an existing multiobjective optimization tool on a 100 node mobile network, showing the generation and maintenance of ID hierarchies.
|