Distributed Combined Authentication and Intrusion ... - Semantic Scholar

The 2010 Military Communications Conference - Unclassified Program - Networking Protocols and Performance Track

Distributed Combined Authentication and Intrusion Detection with Data Fusion in High Security Mobile Ad-hoc Networks Shengrong Bu† , F. Richard Yu† , Peter X. Liu† , Helen Tang‡ and Peter Mason‡ †

Department of Systems and Computer Engineering, Carleton University, Ottawa, ON, Canada ‡ Defense R&D Canada, - Ottawa, ON, Canada Email: [email protected]; richard [email protected]; [email protected]; [email protected]; [email protected]

Abstract - This paper studies distributed, combined authentication and intrusion detection with data fusion in mobile ad-hoc networks (MANETs). Multimodal biometrics are deployed to work with intrusion detection systems (IDSs) to alleviate the shortcomings of unimodal biometric systems. Since each device in the network has measurement and estimation errors, more than one device needs to be chosen, and observations can be fused to increase observation accuracy using Dempster-Shafer theory for data fusion. The system decides whether or not user authentication (or IDS input) is required, and which biosensors (or IDSs) should be chosen depending on the security posture. The decisions are made in a fully distributed manner by each authentication device and each IDS. Simulation results are presented to show the effectiveness of the proposed scheme. Keywords – Security, Biometrics, Mobile Ad-hoc Networks, Authentication, Intrusion Detection I. I NTRODUCTION In high security mobile ad-hoc networks (MANETs), user authentication is critical in preventing non-authorized users from accessing or modifying network resources. Because the chances of a device in a hostile environment being captured are extremely high, authentication needs to be performed continuously and frequently [1]. User authentication can be performed by using one or more types of validation factors: knowledge factors, possession factors and biometric factors. Knowledge factors, such as passwords, and possession factors, such as tokens, are very easy to implement but can make it difficult to distinguish an authentic user from an impostor if there is no direct connection between a user and a password or a token. Biometrics technology, such as the recognition of fingerprints, irises, faces, retinas, etc. provides possible solutions to the authentication problem [2]. Using this technology, individuals can be automatically and continuously identified or verified by their physiological or behavioral characteristics without user interruption [2], [3]. In addition, intrusion detection systems (IDSs) are important in MANETs to effectively identify malicious activities

978-1-4244-8179-8/10/$26.00 ©2010 IEEE

and so that the MANET may respond appropriately. IDSs can be categorized as follows [4]: (i) Network-based intrusion detection, which runs at the gateway of a network and examines all incoming packets. (ii) Router-based intrusion detection, which is installed on the routers to prevent intruders from entering the network. (iii) Host-based intrusion detection, which receives the necessary audit data from the host’s operating system and analyzes the generated events to keep the local node secure. For MANETs, host-based IDSs are suitable since no centralized gateway or router exists in the network. Some research has been done in combining intrusion detection and continuous authentication in MANETs [5]. In the framework proposed in [5], multimodal biometrics are used for continuous authentication, and the IDSs are modeled as sensors to detect the system’s security state. The framework is shown to be effective as it combines an important preventionbased security approach and a detection-based approach. The scheme proposed in [5] is a centralized scheme, in which a centralized controller is needed to schedule authentication and intrusion detection. However, a centralized controller may not be available in MANETs, which makes it difficult to implement the scheme proposed in [5]. In this paper, we propose a distributed scheme of combining intrusion detection and continuous authentication. Since each device in the network has measurement and estimation limitations, more than one device can be chosen and the observations can be fused to increase the observation accuracy. Dempster-Shafer theory [6] is used for data fusion. The system decides whether or not a user authentication (or IDS) is required, and the decisions are made in a fully distributed manner by each authentication device and IDS. In addition, since a biometric authentication process requires a large amount of computation, the energy consumption is significant. This is an important concern for most small mobile devices. Therefore, in the proposed scheme, energy consumption is also considered to improve the network lifetime. Simulation results are presented to show the effectiveness of the proposed scheme.

1191

at time t. Security state space I is limited to two security levels, namely {saf e, compromised}. It would be possible to extend this state space in future work to include input from trust models, giving a wider range of values upon which to make security decisions, but doing so would add significant complexity to the analysis. The residual battery energy of each sensor can be divided into h discrete levels. Therefore, the residual energy state space E includes the energy states {e1, . . . , eh} [7]. In the proposed scheme, the residual energy state space E only includes two energy levels {High, Low}, as a simplification. We consider that the time axis is divided into equal time slots, which correspond to the time intervals between two (n) (n) (n) continuous user authentications. Let xk , sk and ek denote the state of sensor n, its security state, and its residual energy state, respectively, at discrete time k = 0, 1, . . . . (n) (n) The states sk and ek evolve based on I-state and Estate Markov chains with transition probability matrix U (n) and V (n) , respectively, if sensor n is used at time k, which (n) (n) are described as follows: U (n) = (φij )i,j∈I , where φij = (n) (n) (n) (n) P (sk+1 = j|sk = i). V (n) = (ψij )i,j∈E , where ψij = (n) (n) P (ek+1 = j|ek = i). The states of other idle sensors are (n) (n) (n) (n) unchanged, i.e., sk+1 = sk and ek+1 = ek , if sensor n is idle at time k. Hence, the state of sensor n transitions with probability matrix T (n) = [U (n) ⊗ V (n) ], where ⊗ denotes the Kronecker product. Security-related and energy-related costs are considered in our scheme, since transmitted biometric information may be detected by adversaries, and energy is certainly consumed when a sensor is used. Let ak ∈ {1, . . . , N } denote one chosen sensor at time k. The information leakage cost at (a ) time k is defined as cs (sk k , ak ), which is a function of the security state of the chosen sensor and action at that time. (a ) The energy cost at time k is defined as ce (ek k , ak ),which is a function of the energy state of the chosen sensor and action at that time. If the sensor n is used at time k, (n) an instantaneous cost β k c(xk , n)(0 ≤ β < 1 denotes (n) the discount factor) is accrued, which c(xk , n) = (1 − (n) (n) λ)cs (sk , n) + λce (ek , n),where λ ∈ (0, 1) is the weight factor for these two kinds of costs. In the proposed scheme, the total instantaneous cost Ck at time k is determined as follows: define a set SL ⊆ {1, . . . , N }, |SL| = L.

The rest of the paper is organized as follows. Section II introduces the proposed scheme for multimodal biometric-based user authentication and intrusion detection in MANETs. Section III shows how to use Dempster-Shafer theory for the fusion of IDSs and biometric sensors. The integrated system is formulated in Section IV. Section V shows some simulation results. Finally, we conclude this study with future work in Section VI. II. M ULTIMODEL B IOMETRIC - BASED U SER AUTHENTICATION AND I NTRUSION D ETECTION Assume that a MANET has a continuous biometric-based authentication system with N − W biosensors and W IDSs, which have the ability to detect intrusions. The IDSs are also modeled as sensors bringing the total number of sensors to N . The system can perform two kinds of operations: intrusion detection and user authentication. The IDSs continuously monitor the system and thus operate at all time instants. Authentication may be executed at every time instant as well. However, intrusion detection and authentication may consume a large amount of energy, which is a concern for energy-constrained devices in MANETs. Moreover, performing authentication and intrusion detection may lead to security information leakage to an adversary monitoring communications and network behaviour. Therefore, it is critical for the system to optimally schedule the intrusion detection and authentication activities for each time slot, taking system security and energy into account. In the proposed scheme, it is very important to detect the security state of each node, but implementation is difficult since there is no centralized point to monitor and analyze the network traffic. More than one biosensor and IDS (assume L devices) are chosen for detecting states in their local neighborhood at each time slot. The number of devices chosen is determined by the required level of estimation performance and network performance. In each authentication and intrusion detection time slot, two steps are carried out in the network. The first step is the optimal scheduling of authentication and intrusion detection activities. The second is that every chosen IDS/biometric sensor becomes responsible for broadcasting (within a certain hop count) the detected information, and these messages are digitally signed with their private keys. Based on the received information, the security states for the other nodes are calculated by each receiving node. In a large MANET, the network is organized hierarchically, and divided into a number of clusters in order to increase its scalability. In each cluster, the above steps are carried out. In the proposed scheme, a Markov model is used, since it is a useful approach for modeling security systems [1]. Let the state of each sensor n, n ∈ {1, 2, . . . , N }, be x(n) (t) at time t, which includes the sensor security and energy  states s(n) (t), e(n) (t) . Each state represents the security condition and the residual battery energy level of sensor n

Ck = β k ×

L X

(n)

c(xk , n), n ∈ SL.

(1)

n=1

The total expected discounted reward (which is simply the negative of the cost) over an infinite-time horizon is given by "∞ # X Jµ = E (−Ck ) . (2) k=0

The optimization objective is to find the optimal stationary policy µ∗ = arg maxµ∈η Jµ to maximize the reward in (2). 2

1192

errors for node n respectively. Otherwise, node n is not (n) trustworthy with probability 1 − tpk+1 . Suppose that node n states that the node a is secure. If node n is trustworthy, then its claim is accurate. If n is not trustworthy, its claim is not necessarily inaccurate. Basic probability assignment reflects the evidence’s strength of support [8]. For example, for the node n, the basic probability number mn (H) is defined as the portion of total belief assigned to hypothesis H [8]. When the n′ s (n) observation data yk+1 for the security state of node a at time k + 1 is equal to secure, its basic probability assignment can be calculated as follows [8]:

III. D EMPSTER -S HAFER T HEORY U SED FOR THE F USION OF B IOMETRIC S ENSORS AND IDS S In the proposed scheme, L sensors are chosen for authentication and intrusion detection at each time slot. In order to obtain the security state of the network, a node’s chosen neighbors observe the node’s behavior and assess its security state. These observation values are then combined and a decision about the security state of the nodes is made. However, since there is some probability that a given observer node might either be in a compromised state, or have made an inaccurate assessment, there is a finite possibility that this node has contributed an unreliable observation. It can be quite difficult to ascertain which observers are compromised. Therefore, choosing an appropriate fusion method is critical for the proposed scheme. The motivation for selecting Dempster-Shafer theory to solve the fusion problem in our proposed scheme is as follows [6]: • It has a relatively high degree of theoretical development for handling uncertainty or ignorance. • It provides a convenient numerical procedure for combining disparate data obtained from multiple sources. • It is widely used in various applications. In a Dempster-Shafer reasoning system, a set of mutually exclusive and exhaustive possibilities are enumerated in the frame of discernment, denoted by Ω [8]. In the proposed scheme, the frame of discernment consists of two possibilities concerning the security state of an arbitrary node a. Namely, Ω = {secure, compromised}, which presents that node a has two security states: secure state or compromised state. Any hypothesis H refers to a subset of Ω for which the neighboring biometric sensors and IDSs can present evidence. The set of all possible subsets of Ω, including itself and the null set, is called a power set and designated as 2Ω [8]. For Ω in the proposed scheme, the power set has three focal elements: hypothesis H = {secure}, hypothesis ¯ = {compromised}, and hypothesis U = Ω, which H means that the observed sensor a is either in the secure state or the compromised state. Each biometric sensor and IDS contributes its observation by assigning its beliefs over Ω. In this paper, if a sensor is trustworthy, then the sensor always provides accurate observation data. Any chosen node could be untrustworthy due to its current compromised state or inaccurate detection. The chosen node n is trustworthy for an arbitrary observed node a at the time slot k + 1 when it is in the secure state, and detects accurately. The (n) trustworthy probability tpk+1 of node n at time k + 1 is (n) (n) (a) equal to P (sk+1 = secure) × P (yk+1 = sk+1 ), where (n) yk+1 is the observation of a’s security state obtained from (n) (a) n. In our system, P (yk+1 = secure|sk+1 = secure) and (n) (a) P (yk+1 = compromised|sk+1 = compromised) are equal to 1 − F AR and 1 − F RR, respectively. FAR and FRR are the frequency of false acceptance errors and of false rejection

(n)

(n)

(a)

mn (H) = P (sk+1 = sec.) × P (yk+1 = sec.|sk+1 = sec.), ¯ = P (s(n) = sec.) × P (y (n) = sec.|s(a) = comp.), mn H) k+1

k+1

k+1 (n) mn (U ) = P (sk+1

= comp.). (3)

If node n claims that node a is compromised, its basic probability assignment can be calculated as follows [8]: (n)

(n)

(a)

mn (H)=P (sk+1 = sec.) × P (yk+1 = comp.|sk+1 = sec.), ¯ =P (s(n) = sec.) × P (y (n) = comp.|s(a) = comp.), mn (H) k+1

k+1

k+1 (n) mn (U )=P (sk+1

= comp.). (4)

In the remainder of this section, two biometric sensors b and c are used to demonstrate how to apply DempsterShafer theory in combining the belief mb of sensor b and the belief mc of sensor c in the hypotheses. When these two biometric sensors have the same accuracy estimations or they are in situations where their probability assignments over the frame of discernment can quantitatively reflect the ignorance of each other’s observations, the equally trusting approach is used in Dempster-Shafer evidence combination [8]. The combined belief of biometric sensors b and c can be calculated as follows [8]: 1 mb (H) mc (H) + mb (H) ⊕ mc (H) = K  mb (H) mc (U ) + mb (U ) mc (H) ,



 ¯ = 1 mb H ¯ ⊕ mc H ¯ + ¯ mc H mb H K

¯ , ¯ mc (U ) + mb (U ) mc H mb H 1 mb (U ) ⊕ mc (U ) = mb (U ) mc (U ) , (5) K where K = mb (H) mc (H) + mb (H) mc (U
) + ¯ + mb (U )
mc (U )
+ mb (U
) mc (H) + mb (U ) mc H ¯ ¯ ¯ mb H mc H + mb H mc (U ) . If these biometric sensors observe with different accuracy, the weighted Dempster-Shafer evidence combining rule is used in Dempster-Shafer evidence combination [6]. Based on the historical performances of the sensors in similar situations, their corresponding correctness rates are used as the references to decide how much the sensors’ current estimations should be trusted from their current observation. 3

1193

If more than two sensors are chosen at each time slot, the evidence can be computed by combining any pair of arguments and then combining the result with the remaining arguments. Since inaccurate detection is the main characteristic of untrustworthy sensors, only detection errors are considered in the proposed scheme.

compute the Gittins index of each sensor, which decreases the computational complexity significantly. Near-optimal Gittins (n) index γH (π (n) ) for arbitrary sensor n can be computed by solving its associated POMDP with theincremental pruning algorithm developed in the artificial intelligence community by Cassandra et al. [12].

IV. F ORMULATION OF THE D ISTRIBUTED AUTHENTICATION AND I NTRUSION D ETECTION S CHEDULING P ROBLEM

B. Distributed Scheduling Process

To reduce the computational complexity of the scheme, the distributed multimodal biometrics authentication process In this section, we formulate the distributed authentication can be divided into off-line and on-line parts. and intrusion detection scheduling problem as a partiallya). Off-line Computation of Gittins Index observed Markov decision process (POMDP) multi-armed As with any dynamic programming formulation, the combandit problem [9], [10]. putation of the Gittins index for each sensor can be done off-line. For an arbitrary sensor n, a finite set of vectors A. Information State Formulation (n) on The decision about which sensors are chosen should Λk at each iteration k are computed in advance based(n) the following parameters: transition probability matrix T , not totally depend on the current observation values, since (n) (n) observation probability matrix B , reward vector R , the sensors’ states are only partially observable. According (n) to [11], the above partially observed multi-armed bandit initial information state π0 , horizon length H, and discount problem can be re-expressed as a fully observable multi- factor β. b). Real-time Sensor Selection over Horizon H armed bandit problem in terms of the information state, At random time k, each biosensor stores the sensors which means optimal sensors can be chosen based on the current Gittins indices into an N -dimensional vector. The information state. real-time sensor selection includes the following steps: The information state of a sensor refers to a probability 1) Select L sensors with the highest Gittins indices at time distribution over the sensor’s states. The entire probability k. space (the set of all possible probability distributions) is (n) 2) Get new sensor observations yk+1 at time k + 1. referred as information space. For an arbitrary sensor n, the (n) 3) Update the information states of the L chosen sensors. information state at time k is denoted as πk : (n) (n) 4) Compute the Gittins index γH (πk+1 ) for each of these (n) (n) πk = (πk (i)), i = 1, . . . , ζn , L sensors only. (n) (n) where πk (i) = P (xk = i|Yk , Ak−1 ) and 1′ζn π (n) = 1. (6) 5) Broadcast the new Gittins indices to the other sensors. 6) On receiving the messages, the other sensors get the (a ) (a ) In the above equation, Yk = (y1 0 , . . . , yk k−1 ) and Ak−1 = updated Gittins indices. (a0 , . . . , ak−1 ) are denoted as the observation and action V. S IMULATION R ESULTS AND D ISCUSSIONS history at time k, respectively. (n) If sensor n is chosen at time k, a new observation yk+1 In this section, we use computer simulations to evaluate is obtained at time k + 1. Its information state at that time the performance of the proposed scheme with and without (n) πk+1 can be updated using the forward algorithm: using fusion. We consider the following simulation scenario. A MANET is equipped with two biosensors for continuous ′ (n) (n) B (n) (yk+1 )T (n) πk (n) . (7) authentication, iris sensor and fingerprint sensor. Each sensor πk+1 = ′ (n) (n) includes two security states, safe and compromised, and two 1ζn B (n) (yk+1 )T (n)′ πk energy states, high and low, which means that there are 4 where B (n) denotes the observation probability matrix of states for each sensor. The iris sensor is the more expensive, node n. When L nodes are used, the observation probability and also provides the more accurate authentication. The finmatrix is obtained by using the above Dempster-Shafer gerprint sensor provides intermediate security authentication, evidence combining rules. Since the other N − L sensors are and has intermediate energy cost. There is an IDS in the not used at time k, their information states remain unchanged MANET, which uses the least energy, and has the least at time k + 1. accuracy in detecting the security state. The following defined For our proposed scheme the optimal policy has an matrices are based on the above assumptions. indexable rule, meaning the sensors’ Gittins indexes The security state transition matrices of the iris sensor, (n) γ (n) (πk )(n = 1, . . . , N ) are used to choose the appropriate fingerprint sensor and IDS, when they are active, are defined sensors at time k. Furthermore, the optimal policy at time k as follows:     is that the sensors with the largest Gittins indexes at that time 0.95 0.05 0.80 0.20 (1) (2) U = ,U = , should be selected. The above problem can be transformed to 0.30 0.70 0.10 0.90 4

1194

  0.98 0.02 U = . 0.02 0.98 From these state transition matrices, we can see the probability of changing from one state to another. For example, iris sensor could be compromised with probability 0.05, and retrieved back to the safe state with probability 0.30. The corresponding energy state   transition  matricesare defined as: 0.96 0.04 0.98 0.02 (1) (2) V = ,V = , 0 1 0 1   0.99 0.01 V (3) = . 0 1 This means that when the battery residual energy is low, it cannot transition back to the high level. The observation matrices for the security state and energy state are respectively defined as:     0.97 0.03 0.90 0.10 (1) (2) Bs = , Bs = , 0.03 0.97 0.10 0.90     0.80 0.20 0.90 0.10 (3) Bs = , Be= . 0.20 0.80 0.10 0.90 The cost matrices are defined as: C(1) = (3, 8, 25, 27), C(2) = (2, 7, 20, 26), C(3) = (1, 4, 27, 31). Since there is more potential for information leakage when a node is in the compromised state than in the safe state, the information leakage cost of selecting a safe node is lower than that of selecting a compromised node. When the network is compromised, an extra cost Cnet is applied into the total cost. In our simulation, we set Cnet to 30, based on the nodes’ cost matrices, although different values could be chosen without affecting the results of our comparisons. It is a non-trivial task to setup node transition matrices and cost matrices for the proposed scheme. We assume that most node properties can be made known in constructing these matrices, which should be realistic particularly for tactical MANETs where initial device management and planning is an a priori requirement. By “node properties” we mean the information and states that are used as input to the transition and cost matrices. However, in a dynamic environment, where heterogeneous nodes may join the network, it may not be as realistic to assume knowledge of all node properties. In these circumstances, we should be able to predict and learn the node properties from the history of observations and actions. All simulations are run and policy vectors computed on a computer equipped with Window 7, Intel Core 2 Duo P8400 CPU (2.26Ghz), 4GB memory. In the simulations, the initial state for each node is high-energy and secure. Simulations have been done in order to compare the cost of three approaches: the proposed optimization scheme without data fusion, the same scheme using data fusion, and a scheme that does not consider optimal scheduling (that is, a scheme that makes selections at random). Each cost value is the averaged result of 10000 simulations. Fig. 1 illustrates the average cost for the first 100 steps of the simulation. Fig. 2 illustrates the relative information leakage, which is defined as the information leakage of the selected nodes (3)

30

25 Existing Scheme Proposed Scheme w/o Data Fusion Proposed Scheme w/ Data Fusion

Average Cost

20

15

10

5

0

0

20

40

60

80

100

Step

Fig. 1. Cost comparison among the proposed scheme with data fusion, the proposed scheme without data fusion and the existing scheme.

0.5 0.45

Information Leakage

0.4 Existing Scheme Proposed Scheme w/o Data Fusion Proposed Scheme w/ Data Fusion

0.35 0.3 0.25 0.2 0.15 0.1 0.05

0

20

40

60

80

100

Step

Fig. 2.

Information leakage comparison among three schemes.

divided by the information leakage when the nodes are in the worst state. The results show that the proposed optimization scheme and the proposed fusion scheme have lower cost and less information leakage than a scheme that does not consider optimization. Thus through optimal node selection, the system can be more secure and energy-efficient. The principle reason the fusion scheme has better performance is that the fusion usage of Dempster-Shafer theory increases the observation accuracy and decreases the probability of network compromise. In the simulation, the network becomes compromised when all the chosen nodes are in compromised states. Various transition probabilities are also used in the simulations to verify the dynamic stability of the proposed scheme. Fig. 3 shows the average cost of these three schemes when the 5

1195

40

0.4

Existing Scheme Proposed Scheme w/o Data Fusion Proposed Scheme w/ Data Fusion

35 30

0.3 Compromising Probability

Average Cost

Existing Scheme Proposed Scheme w/o Data Fusion Proposed Scheme w/ Data Fusion

0.35

25 20 15 10

0.25

0.2

0.15

0.1

5 0.05

0 0.7

0.75

0.8

0.85 0.9 Transition Probability

0.95

1

0 0.65

Fig. 3. Cost comparison among three schemes under different transition probabilities.

0.7

0.75

0.8 0.85 Transition Probability

0.9

Fig. 4. Network compromise probability comparison among three schemes under different transition probabilities.

first component in the security transition probability matrix varies from 0.7 to 1.0, where high transition probability means that the system is more secure. The results still show that the proposed scheme with data fusion has the lowest cost among these three schemes. From Fig. 3, we can see that the cost decreases when the system becomes more secure. This is because the information leakage is smaller when the system becomes more secure, therefore the cost is smaller. When the security transition probability reaches 1, the proposed schemes lose their advantage since all of the nodes always stay in the secure states - that is, there is no added value in trying to optimize security an infallible network. Fig. 4 shows the network compromise probability within the first 40 steps when the first component in the security transition probability matrix of the IDS varies from 0.65 to 0.95 and all other probability values remain constant. For easy comparison of the network compromise probability under these three schemes, the energy transition probability of each node is set to 1, so that the network dies from being compromised rather than energy exhaustion. The results show the network compromise probability of two proposed schemes remain low and stable. The reason for this is that the proposed schemes avoid choosing compromised nodes, and therefore decrease information leakage and network compromise probability.

and on-line parts in order to mitigate the computational complexity. Simulation results were presented to show that the proposed scheme can improve network security. R EFERENCES [1] T. Sim, S. Zhang, R. Janakriaman, and S. Kumar, “Continuous verification using multimodal biometrics,” IEEE Trans. Pattern Analysis and Machine Intelligence, vol. 29, pp. 687–700, Apr. 2007. [2] Q. Xiao, “A biometric authentication approach for high security adhoc networks,” in Proc. IEEE Info. Assurance Workshop, (West Point, NY), June 2004. [3] J. Koreman, A. C. Morris, D. Wu, and S. A. Jassim, “Multi-modal biometrics authentication on the secure phone pda,” in Proc. Second Workshop on Multimodal User Authentication, (Toulouse, France), May 2006. [4] S. K. Das, A. Agah, and K. Basu, “Security in wireless mobile and sensor networks,” Wireless communications systems and networks, pp. 531–557, 2004. [5] J. Liu, F. Yu, C. H. Lung, and H. Tang, “Optimal combined intrusion detection and biometric-based continuous authentication in high security mobile ad hoc networks,” IEEE Trans. on Wireless Comm., vol. 8, pp. 806–815, Feb. 2009. [6] H. Wu, Sensor Fusion for Context-Aware Computing Using DempsterShafer Theory. PhD thesis, Carnegie Mellon University, 2003. [7] P. Hu, Z. Zhou, Q. Liu, and F. Li, “The hmm-based modeling for the energy level prediction in wireless sensor networks,” in Proc. IEEE Conf. on Industrial Electronics and Applications, (Harbin, P.R. China), pp. 2253–2258, May 2007. [8] T. M. Chen and V. Venkataramanan, “Dempster-shafer theory for intrusion detection in ad hoc networks,” IEEE Internet Computing, pp. 35 – 41, 2005. [9] V. Krishnamurthy, “A value iteration algorithm for partially observed markov decision process multi-armed bandits,” Math. of Oper. Res., pp. 133–152, May 2005. [10] P. Whittle, “Multi-armed bandits and the Gittins index,” J. R. Statist. Soc. B, vol. 42, no. 2, pp. 143–149, 1980. [11] J.C.Gittins, Multi–armed Bandit Allocation Indices. Wiley, 1989. [12] A. R. Cassandra, Exact and Approximate Algorithms for Partially Observed Markov Decision Process. PhD thesis, Brown University, 1998.

VI. C ONCLUSIONS In this paper, we presented a distributed scheme of combining authentication and intrusion detection. In the proposed scheme, the most suitable biosensors (for biometric-based authentication) or IDSs are dynamically selected based on the current security posture and energy states. To improve upon this concept, Dempster-Shafer theory was used for IDS and biometric sensors fusion, since there is more than one device used at each time slot. The distributed multimodal biometrics and IDS scheduling process can be divided into off-line 6

1196