Article Preview
TopIntroduction
Security has become one of the most critical issues in today’s computer-dominated society. Security threats have increased in sophistication, frequency and complexity in the past couple of decades. Despite the continuous efforts from the security community, organizations are being attacked at an alarming rate nowadays. Particularly for large scale enterprise network consisting of a number of mobile and handheld devices, there is a mismatch between the level of protection that current security measures are providing and the level needed to address their actual degree of risks. The characteristics of the mobile and handheld devices make incorporating security very challenge. The constraints on mobile and handheld devices make the design and operation different from the contemporary wired networks. Security has become the Achilles’ heel of networks of all sizes.
The monitoring and surveillance of security threats in network systems are mostly done by Intrusion Detection System (IDS) (Douligeris & Serpanos, 2007). IDS are based on the principle that attacks on computer systems and networks will be noticeably different from normal activities. The job of IDS is to detect these abnormal patterns by analyzing information from different sensing sources in the network.
IDSs may be classified into host-based IDSs, network based IDSs and distributed IDSs, according to the source of audit information. Host-based IDSs get data from host audit trails; network-based IDSs collect network traffic as the data source; distributed IDSs gather audit data from multiple hosts and the network. There has been a shift from a centralized and monolithic IDS framework to a distributed one (Balasubramaniyan & Fernandez, 1998). Distributed IDSs usually include multiple sensors or agents for intrusion detection, and information fusion modules for data correlation.
However, when deploying IDSs in enterprise network with a large number of mobile and handheld devices, the IDS systems usually suffer from a number of limitations.
- •
Configurability, controllability and manageability. Today’s networks are dynamic with mobile and handheld devices. IDSs need to support flexible on-demand reconfiguration and dynamic deployment of new nodes. For example, tasks like loading attack signatures at run-time, creating new detection sensors, being adaptive to changes in the environment, and detecting new attacks should be supported.
- •
Interoperability. Today’s networks are heterogeneous with mobile devices from different vendors. Many IDSs are developed and operated in specific domains and environments. It is a complicated and error-prone task to integrate and coordinate multiple IDSs. Mechanisms need to be designed to support the effective integration, cooperation and collaboration of heterogeneous IDSs.
- •
Scalability, extensibility and robustness. IDSs should be scalable to monitor large scale networks with limited overhead imposed. IDSs need to be lightweight to run on mobile and handheld devices. IDSs need to protect themselves from attacks. They should also be able to recover quickly from system crashes or network failure.
- •
Effectiveness. IDSs suffer from the problem of high false alarm rate, including false positive and false negative. Algorithms need to be designed to produce real time, high-confidence detection results by fusing information from multiple data sources.
- •
Global Coordination. Network intrusion detection and prevention should utilize both local surveillance and global coordination. Local surveillance secures a protection domain by proactively identifying and thwarting attacks. Global coordination integrates the information from different parts of the network and coordinates collective countermeasures.
Therefore, IDS involving mobile and handheld devices is similar to a standard, wired IDS, but has additional deployment requirements as well as some unique features specific to wireless network.