RFID Intrusion Detection

From RFID Wiki

Contents 1 Intrusion Prevention vs. Intrusion Detection 2 Intrusion Detection 2.1 Deployment Layer 2.2 Intrusion Detection Functionality 2.3 Requirements for the Intrusion Detection System 2.4 Possible Audit Records 2.5 Intrusion Detection Steps 2.6 Characterization of Normal \& Abnormal Behavior 2.7 Limitations of IDSs 2.8 IDS Approaches 2.9 IDS Architecture

[edit] Intrusion Prevention vs. Intrusion Detection

• Preventing RFIDs from attacks more difficult than detecting attacks???

[edit] Intrusion Detection

[edit] Deployment Layer

• Tag Layer: Difficult due to limitations, weakest link.
• Reader Layer.
• Middleware Layer: More Resources.

[edit] Intrusion Detection Functionality

• Audit tools more effective than humans at distilling relevant information from multiple sources.
• Monitors the activity occurring within the environment.
• Uses tags' audit records, to build normal and abnormal profiles.
• Responds to suspicious behavior, generates alarms.

[edit] Requirements for the Intrusion Detection System

• Efficiently and accurately discriminate normal against abnormal behavior.
• Produce reliable results:
  • High Detection Rate
  • Low False Alarm Rate
  • Combined with intrusion prevention mechanisms in order to avoid possible compromise of the IDS and safeguard the accuracy of the results.

• Produce results easy to comprehend and facilitate the RFID operator-administrator. Special skills should not be required for the use of the IDS.
• Real-time intrusion detection - Direct Response.
• Easy to deploy. Portable to different architectures, applications, OS.
• Not high overhead.
• Response in such a way that do not cause operational problems (e.g. flooding with alarms).
• Able to update and represent new network traffic conditions and attacks.
• General enough to detect various types of attacks.
• Cost-Sensitive Intrusion Detection. Different attacks have different costs.
• Achieve a satisfying trade-off between High Detection Rate & Low False Alarm rate.

[edit] Possible Audit Records

• RFID operation read/write.
• Tag identifier number.
• Reader identifier number.
• Timestamp.
• A special value e.g. the mean number of times a tag has been used.

[edit] Intrusion Detection Steps

• Selection of Type of Application.
• Select appropriate data that are able to discriminate normal and abnormal behavior.
• Train the detection engine.
• Test with new unknown data.
• Response - When an attack is detected:
  • Block a tag's access.
  • What about blocking also legitimate access?
• Periodic update of normal-abnormal profile: Representing new traffic conditions, new attacks.

[edit] Characterization of Normal \& Abnormal Behavior

• Cloning attacks - Abnormal Behavior:

• • The tag usage by the attacker will be different from the usage of a legal usage.
  • Significant deviation in tag's audit records.
  • The attacker may use the tag more often than usual.
  • The attacker's tag is read from locations that authorized users rarely or never use.
• Difficulties in discriminating normal from abnormal behavior
  • Creating false timestamps.
  • Steadily increase the use of a cloned RFID tag whilst remaining within accepted tolerances of normal behavior.

[edit] Limitations of IDSs

• Complex to set up.
• Require large quantities of memory \& processing power.

[edit] IDS Approaches

• Anomaly-based.
• Signature-based.

[edit] IDS Architecture

• Distributed
• Centralized: Single Point of Failure??