1 / 59

Intruder Identification in Ad Hoc Networks

Intruder Identification in Ad Hoc Networks. Problem Statement.

teddy
Download Presentation

Intruder Identification in Ad Hoc Networks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Intruder Identification in Ad Hoc Networks

  2. Problem Statement • Intruder identification in ad hoc networks is the procedure of identifying the user or host that conducts the inappropriate, incorrect, or anomalous activities that threaten the connectivity or reliability of the networks and the authenticity of the data traffic in the networks. Papers: “On Security Study of Two Distance Vector Routing Protocols for Mobile Ad Hoc Networks”, in Proceedings of IEEE International Conference on Pervasive Computing and Communications (PerCom),2003. “On Vulnerability and Protection of Ad Hoc On-demand Distance Vector Protocol”, in Proceedings of 10th IEEE International Conference on Telecommunication (ICT),2003.

  3. Research Motivation • More than ten routing protocols for Ad Hoc networks have been proposed (AODV, DSR, DSDV, TORA, ZRP, etc.) • Research focus has been on performance comparison and optimizations such as multicast and multiple path detection • Research is needed on the security of Ad Hoc networks. • Applications: Battlefields, Disaster recovery.

  4. Research Motivation • Two types of attacks target Ad Hoc network • External attacks: • MAC layer jamming • Traffic analysis • Internal attacks: • Compromised host sending false routing information • Fake authentication and authorization • Traffic flooding

  5. Research Motivation • Protection of Ad Hoc networks • Intrusion Prevention • Traffic encryption • Sending data through multiple paths • Authentication and authorization • Intrusion Detection • Anomaly pattern examination • Protocol analytical study

  6. Research Motivation • Deficiencies of intrusion prevention • Increases the overhead during normal operations of Ad Hoc networks • Restriction on power consumption and computation capability prevent the usage of complex encryption algorithms • Flat infrastructure increases the difficulty for the key management and distribution • Cannot guard against internal attacks

  7. Research Motivation • Why intrusion detection itself is not enough • Detecting intrusion without removing the malicious host leaves the protection in a passive mode • Identifying the source of the attack may accelerate the detection of other attacks

  8. Research Motivation • Research problem: Intruder Identification • Research challenges: • How to locate the source of an attack ? • How to safely combine the information from multiple hosts and enable individual host to make decision by itself ? • How to achieve consistency among the conclusions of a group of hosts ?

  9. Related Work in wired Networks • Secure routing / intrusion detection in wired networks • Routers have more bandwidth and CPU power • Steady network topology enables the use of static routing and default routers • Large storage and history of operations enable the system to collect enough information to extract traffic patterns • Easier to establish trust relation in the hierarchical infrastructure

  10. Attack on RIP (Distance Vector) False distance vector Solution (Bellovin 89) Static routing Listen to specific IP address Default router Cannot apply in Ad Hoc networks Related Work in wired networks

  11. Related Work in wired networks • Attack on OSPF (Link State) • False connectivity • Attack on Sequence Number • Attack on lifetime • Solution • JiNAO:NCSU and MCNC • Encryption and digital signature

  12. Lee at GaTech summarizes the difficulties in building IDS in Ad Hoc networks and raises questions: what is a good architecture and response system? what are the appropriated audit data sources? what is the good model to separate normal and anomaly patterns? Haas at Cornell lists the 2 challenges in securing Ad Hoc networks: secure routing key management service Related Workin Ad Hoc Networks

  13. Related Workin Ad Hoc Networks • Agrawal at University of Cincinnati presents the general security schemes for the secure routing in Ad Hoc networks • Nikander at Helsinki discusses the authentication, authorization, and accounting in Ad Hoc networks • Bhargavan at UIUC presents the method to enhance security by dynamic virtual infrastructure • Vaidya at UIUC presents the idea of securing Ad Hoc networks with directional antennas

  14. TIARA: Techniques for Intrusion Resistant Ad-Hoc Routing Algorithm (DARPA) develop general design techniques focus on DoS attack sustain continued network operations Secure Communication for Ad Hoc Networking (NSF) Two main principles: redundancy in networking topology, route discovery and maintenance distribution of trust, quorum for trust Related Work ongoing projects

  15. On Robust and Secure Mobile Ad Hoc and Sensor Network (NSF) local route repair performance analysis malicious traffic profile extraction distributed IDs proposed a scalable routing protocol Adaptive Intrusion Detection System (NSF) enable data mining approach proactive intrusion detection establish algorithms for auditing data Related Work ongoing projects

  16. Problem Statement • Intruder identification in ad hoc networks is the procedure of identifying the user or host that conducts the inappropriate, incorrect, or anomalous activities that threaten the connectivity or reliability of the networks and the authenticity of the data traffic in the networks.

  17. Accuracy False coverage: Number of normal hosts that are incorrectly marked as suspected. False exclusion: Number of malicious hosts that are not identified as such. Overhead Overhead measures the increases in control packets and computation costs for identifying the attackers (e.g. verifying signed packets, updating blacklists). Workload of identifying the malicious hosts in multiple rounds Evaluation Criteria

  18. Evaluation Criteria • Effectiveness • Effectiveness: Increase in the performance of ad hoc networks after the malicious hosts are identified and isolated. Metrics include the increase of the packet delivery ratio, the decrease of average delay, or the decrease of normalized protocol overhead (control packets/delivered packets). • Robustness • Robustness of the algorithm: Its ability to resist different kinds of attacks.

  19. Assumptions A1. Every host can be uniquely identified and its ID cannot be changed throughout the lifetime of the ad hoc network. The ID is used in the identification procedure. A2. A malicious host has total control on the time, the target and the mechanism of an attack. The malicious hosts continue attacking the network. A3. Digital signature and verification keys of the hosts have been distributed to every host. The key distribution in ad hoc networks is a tough problem and deserves further research. Several solutions have been proposed. We assume that the distribution procedure is finished, so that all hosts can examine the genuineness of the signed packets. A4. Every host has a local blacklist to record the hosts it suspects. The host has total control on adding and deleting elements from its list. For the clarity of the remainder of this paper, we call the real attacker as “malicious host”, while the hosts in blacklists are called “suspected hosts”.

  20. Applying Reverse Labeling Restriction to Protect AODV • Introduction to AODV • Attacks on AODV and their impacts • Detecting False Destination Sequence Attack • Reverse Labeling Restriction Protocol • Simulation results

  21. Introduction to AODV • Introduced in 97 by Perkins at NOKIA, Royer at UCSB • 12 versions of IETF draft in 3 years, 4 academic implementations, 2 simulations • Combines on-demand and distance vector • Broadcast Route Query, Unicast Route Reply • Quick adaptation to dynamic link condition and scalability to large scale network • Support Multicast

  22. Security Considerations for AODV “AODV does not specify any special security measures. Route protocols, however, are prime targets for impersonation attacks. If there is danger of such attacks, AODV control messages must be protected by use of authentication techniques, such as those involving generation of unforgeable and cryptographically strong message digests or digital signatures. ” - http://www.ietf.org/internet-drafts/draft-ietf-manet-aodv-11.txt

  23. Message Types in AODV • RREQ: route request • RREP: route reply • RERR: route error

  24. Unicast reply Broadcast request Unicast reply Broadcast request Broadcast request Unicast reply Route Discovery in AODV D Establish path to the destination Establish path to the source S1 S3 Establish path to the source Establish path to the destination S2 S4 Establish path to the destination Establish path to the source S

  25. Introduction to AODV (con’d) • Security Features of AODV • Combination of Broadcast and Unicast • Route reply is sent out along a single path, prevent the disclosure of routing information • Fast Expiration of Reverse Route Entry • Route entry created by un-replied route request will expire in a short time • Freshness of Routing Information • Unique, monotonic destination sequence for every host, could only be updated by destination/request initiator

  26. Malicious route request query non-existing host (RREQ will flood throughout the network) False route error route broken message sent back to source (route discovery is re-initiated) False distance vector reply “one hop to destination” to every request and select a large enough sequence number False destination sequence select a large number (even beat the reply from real destination) Attacks on AODV

  27. Impacts of Attacks on AODV

  28. RREP(D, 5) RREP(D, 5) RREQ(D, 3) RREQ(D, 3) RREQ(D, 3) RREP(D, 20) RREQ(D, 3) RREP(D, 20) RREP(D, 20) False Destination Sequence Attack S3 D S S1 S2 M

  29. Attacks on AODV and Simulation Results • Simulation of Attacks • A module called “AODV Attack” added into ns2 • Four attacks have been implemented • malicious route request • silently discard • false distance vector • false destination sequence

  30. Attacks to AODV and Simulation Results • Simulation parameters

  31. Attacks to AODV and Simulation Results X-axis is max moving speed, which evaluates the mobility of host. Y-axis is delivery ratio. Two attacks: false distance vector and false destination sequence, are considered. They lead to about 30% and 50% of packets to be dropped.

  32. Detecting false destination sequence attackby destination host during route rediscovery (1). S broadcasts a request that carries the old sequence + 1 = 21 (2) D receives the RREQ. Local sequence is 5, but the sequence in RREQ is 21. D detects the false desti-nation sequence attack. D S3 RREQ(D, 21) S S1 S2 M S4 Propagation of RREQ

  33. Reverse Labeling Restriction (RLR) • Basic Ideas • Every host maintains a blacklist to record suspicious hosts. Suspicious hosts can be released from the blacklist or put there permanently. • The destination host will broadcast an INVALID packet with its signature when it finds that the system is under attack on sequence. The packet carries the host’s identification, current sequence, new sequence, and its own blacklist. • Every host receiving this packet will examine its route entry to the destination host. If the sequence number is larger than the current sequence in INVALID packet, the presence of an attack is noted. The next hop to the destination will be added into this host’s blacklist.

  34. Reverse Labeling Restriction (RLR) • All routing information or intruder identification packets from hosts in blacklist will be ignored, unless the information is about themselves. • After a host is released from the blacklist, the routing information or identification results from it will be processed.

  35. BL {} BL {S2} BL {S1} BL {} BL {M} BL {} Example to illustrate RLR S3 D INVALID ( D, 5, 21, {}, SIGN ) S S1 S2 M S4 D sends INVALID packet with current sequence = 5, new sequence = 21. S3 examines its route table, the entry to D is not false. S3 forward packet to S1. S1 finds that its route entry to D has sequence 20, which is > 5. It knows that the route is false. The hop which provides this false route to S1 was S2. S2 will be put into S1’s blacklist. S1 forward packet to S2 and S. S2 adds M into its blacklist. S adds S1 into its blacklist. S forward packet to S4. S4 does not change its blacklist since it is not involved in this route.

  36. Update Blacklist by INVALID Packet Next hop on the invalid route will be put into local blacklist, a timer starts, a counter ++ Labeling process will be done in the reverse direction of route When timer expires, the suspicious host will be released from the blacklist and routing information from it will be accepted If counter > threshold, the suspicious host will be permanently put into blacklist Reverse Labeling Restriction (con’d)

  37. RLR creates suspicion trees. If a host is the root of a quorum of suspicion trees, it is labeled as the attacker.

  38. Reverse Labeling Restriction (con’d) • Update local blacklist by other hosts’ blacklist • Attach local blacklist to INVALID packet with digital signature to prevent impersonation • Every host will count the hosts involved in different routes that say a specific host is suspicious. If the number > threshold, it will be permanently added into local blacklist and identified as an attacker. • Threshold can be dynamically changed or can be different on various hosts

  39. Reverse Labeling Restriction (con’d) • Two other effects of INVALID packets • Establish routes to the destination host: when the host sends out INVALID packet with digital signature, every host receiving this packet can update its route to the destination host through the path it gets the INVALID packet. • Enable new sequence: When the destination sequence reaches its max number (0x7fffffff) and needs to round back to 0, the host sends an INVALID packet with current sequence = 0x7fffffff, new sequence = 0.

  40. Reverse Labeling Restriction (con’d) • Packets from suspicious hosts • Route request: If the request is from suspicious hosts, ignore it. • Route reply: If the previous hop is suspicious and the query destination is not the previous hop, the reply will be ignored. • Route error: will be processed as usual. RERR will activate re-discovery, which will help to detect attacks on destination sequence. • INVALID: if the sender is suspicious, the packet will be processed but the blacklist will be ignored.

  41. Simulation parameter

  42. Reverse Labeling Restriction (con’d)Simulation results The following metrics are chosen: • Delivery ratio (evaluate effectiveness of RLR) • Number of normal hosts that identify the attacker (evaluate accuracy of RLR) • Number of normal hosts that are marked as attacker by mistake (evaluate accuracy of RLR) • Normalized overhead (evaluate communication overhead of RLR) • Number of packets to be signed (evaluate computation overhead of RLR)

  43. Reverse Labeling Restriction (con’d) X-axis is host pause time, which evaluates the mobility of host. Y-axis is delivery ratio. 25 connections and 50 connections are considered. RLR brings a 30% increase in delivery ratio. 100% delivery is difficult to achieve due to network partition, route discovery delay and buffer.

  44. Reverse Labeling Restriction (con’d) X-axis is number of attackers. Y-axis is delivery ratio. 25 connections and 50 connections are considered. RLR brings a 20% to 30% increase in delivery ratio.

  45. Reverse Labeling Restriction (con’d) The accuracy of RLR when there is only one attacker in the system

  46. Reverse Labeling Restriction (con’d) The accuracy of RLR when there are multiple attackers

  47. Reverse Labeling Restriction (con’d) X-axis is host pause time, which evaluates the mobility of host. Y-axis is normalized overhead (# of control packet / # of delivered data packet). 25 connections and 50 connections are considered. RLR increases the overhead slightly.

  48. Reverse Labeling Restriction (con’d) X-axis is host pause time, which evaluates the mobility of host. Y-axis is the number of signed packets processed by every host. 25 connections and 50 connections are considered. RLR does not severely increase the computation overhead to mobile host.

  49. Reverse Labeling Restriction (con’d) X-axis is number of attackers. Y-axis is number of signed packets processed by every host. 25 connections and 50 connections are considered. RLR does not severely increase the computation overhead of mobile host.

  50. If the malicious host sends false INVALID packet Because the INVALID packets are signed, it cannot send the packets in other hosts’ name If it sends INVALID in its own name, the reverse labeling procedure will converge on the malicious host and identify the attacker. The normal hosts will put it into their blacklists. Robustness of RLR

More Related