1. Field of the Invention
Subject matter disclosed herein relate generally to network intrusion detection, and more particularly, to distributed network intrusion.
2. Introduction
The hidden-node problem occurs when two or more wireless nodes that are unable to sense each other transmit to an access point, causing interference at the access point. If the nodes employ directional antennas, the hidden-node problem is worse. Solutions to the hidden-node problem are typically implemented at the medium access control (MAC) level. For example, a Carrier Sense Multiple Access with Collision Avoidance or an ALOHA protocol may be adapted to include handshaking. However, handshaking solutions apply to nodes that belong to the same network.
Alternatively, in cognitive radio, a first network may use the same frequency band as a second network without communicating with the second network. The basic idea behind cognitive radio is opportunistic spectrum sharing by identifying under-utilized licensed bands and utilizing those bands until they are used by their licensed users. Specifically, MAC-layer messages are not shared between the networks, so the goal is to minimize interference with the second network by improving detection of potentially hidden nodes.
The hidden-node problem is typically addressed in the context of one node unintentionally interfering with communications between other nodes. There is a notable deficiency of effective solutions for situations in which the hidden node has malicious or selfish intent. For example, a common solution for a denial of service attack in which a hidden node sends a false request is MAC-based and simply provides additional validation embedded in the data transmissions.
A conventional Intrusion Detection System (IDS) monitors a network for malicious activities and/or policy violations. Intrusion detection typically employs a statistical anomaly analysis or a signature analysis. Statistical anomaly analysis creates a baseline performance metric for network traffic and then monitors the traffic for any activity outside the baseline parameters.
However, this approach is only effective for identifying activities that significantly impact overall network traffic. Also, bad packets generated in the course of normal network activity can generate false alarms.
Signature analysis identifies network traffic for predetermined (i.e., known) attack patterns, known as signatures. Many attacks have distinct signatures. However, in order for signature analysis to be effective, it is necessary to maintain an up-to-date database of attack patterns.
There are two main types of IDSs. The first type is an independent system that connects to the network via a hub, switch, or network tap and monitors packets for malicious content. The second type resides on the host and monitors system calls, logs, and file systems for suspicious activities.
In a cooperative network, a new type of IDS is required. In 2001, distributed multi-user multiple input, multiple output (MU-MIMO) was first introduced (S. J. Shattil, Pat. Appl. Ser. No. 60/286,850, filed Apr. 26, 2001), which coordinates a large number of access points (e.g., cellular base stations) distributed over a certain coverage region via a wired, optical, and/or wireless backhaul network connected to a central processor in order to form a distributed antenna system. Thus, the multiple access points can function together as a single distributed access point, referred to as a “super array.” In subsequent patent filings, Distributed MU-MIMO included user terminals and relays in many different network topologies (S. J. Shattil, patent application Ser. No. 10/131,163 filed Apr. 24, 2002, now U.S. Pat. No. 7,430,257; and S. J. Shattil, patent application Ser. No. 10/145,854, filed May 14, 2002). Solutions to synchronization and calibration in Distributed-MIMO are presented in the '257 patent, the '854 application, S. J. Shattil, Pat. Appl. Ser. No. 60/598,187, filed Aug. 2, 2004, and S. J. Shattil, patent application Ser. No. 11/187,107 (now U.S. Pat. No. 8,670,390). All the references presented herein are incorporated by reference in their entireties.
Since clients in cooperative, ad-hoc, peer-to-peer, and mesh networks already perform many of the network control functions, it can be useful to provide an IDS employed as a distributed system residing on the clients.
These and other needs in the field are addressed by aspects of the present invention.