Response Initiation in Distributed Intrusion Response Systems for Tactical MANETs

Even though Intrusion Detection Systems (IDS) are in wide-spread use, the question of how to efficiently initiate responses to detected attacks has been discussed far less often, especially in highly dynamic scenarios such as tactical MANETs. Despite being flexible and robust in their ability to self-organize, these MANETS are distinctly more susceptible to attacks than their wired counterparts. Especially in military settings such as the interconnection of infantrymen or autonomous robots, remote initiation of countermeasures is critical since local administrative personnel may not be available. In this contribution we present an architecture for response initiation that is specifically tailored to the requirements intrinsic to mobile ad hoc networks in these settings. First we introduce IRMEF (Intrusion Response Message Exchange Format) as a means of specifying and parameterizing responses remotely which is an extension of the IDMEF RFC, an experimental yet well-established and recommended IETF draft for formatting event messages. Response initiation messages are dispatched from a central location via a secure, reliable, and robust communication infrastructure based on SNMPv3. An Authenticated Flooding service ensures that messages are delivered to their destination even while the network is under attack. Locally installed responder components are responsible for the application of the response measure. These mechanisms are designed and implemented explicitly with the limitations in mind which are imposed by the MANET operating environment: For example, resource constraints are taken into account by avoiding bandwidth intensive message formats, and the use of an intelligent flooding mechanism ensures resiliency under routing attacks.