Detecting coordinated attacks in tactical wireless networks using cooperative signature-based detectors

We describe an approach to detecting coordinated attacks in tactical wireless networks in which distributed detectors cooperate to match signatures from audit events generated at different locations. Traditionally, the signature matching engine compares the signature with a single audit data stream to identify occurrences of the action sequence described in the signature. Such approach introduces a single point of failure and uses huge bandwidth for transferring audit data from the data sources to the matching engine. Our approach decomposes an extended infinite state machine, an operational representation of an attack signature, into multiple cooperative finite state machines that enable distributed signature engines to match the signature. We describe the decomposition methodology and the distributed matching algorithm and illustrate them using several example multi-stage attacks in tactical networks. In addition, we implemented an example distributed signature matching engine for detecting the example attacks in a simulation framework based on MASON. Our approach avoids a single point of failure and reduces the bandwidth usage by communicating internal state information rather than audit events