Intrusion monitoring of malicious routing behavior
Download
1 / 31

Intrusion Monitoring of Malicious Routing Behavior - PowerPoint PPT Presentation


  • 269 Views
  • Updated On :

Intrusion Monitoring of Malicious Routing Behavior Poornima Balasubramanyam Karl Levitt Computer Security Laboratory Department of Computer Science UCDavis Security Threats Outsider attacks infiltrate routing process modify routing information

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Intrusion Monitoring of Malicious Routing Behavior' - Audrey


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Intrusion monitoring of malicious routing behavior l.jpg

Intrusion Monitoring of Malicious Routing Behavior

Poornima Balasubramanyam

Karl Levitt

Computer Security Laboratory

Department of Computer Science

UCDavis


Security threats l.jpg
Security Threats

  • Outsider attacks

    • infiltrate routing process

    • modify routing information

    • cause redirection of network traffic, DoS attacks, etc.

      countermeasure - use of strong integrity mechanisms

UCDavis SecLab

MURI October 2002


Security threats contd l.jpg
Security Threats – Contd.

  • Insider attacks

    • Compromised rogue routers

      • legitimately participate in routing protocol

      • influence local routing behavior

      • actively disrupt global routing behavior

    • Integrity mechanisms are in place

      • Routers do not masquerade as other routers

    • Integrity mechanisms are not in place

      • Routers masquerade as other routers.

UCDavis SecLab

MURI October 2002


Intrusion monitoring of networks l.jpg
Intrusion Monitoring of Networks

  • Most intrusion monitoring is fine-grained

    • E.g., network packet analysis

  • Some intrusions require higher level monitoring

    • Intrusive behavior may be visible earlier

  • Our approach is aimed at multi-grained intrusion monitoring

UCDavis SecLab

MURI October 2002


Sample network l.jpg
Sample Network

R8

H2

R1

R2

R7

R9

R3

Area 1

Area 2

R4

R6

R10

R11

R12

R5

H1

R13

AS

Area 3

UCDavis SecLab

MURI October 2002


Link r4 r5 is down l.jpg
Link R4-R5 Is Down

R8

H2

R1

R2

R7

R9

R3

Area 1

Area 2

R4

R6

R10

R11

R12

R5

H1

R13

AS

Area 3

UCDavis SecLab

MURI October 2002


Newly isolated node r5 single point of connection r6 l.jpg
Newly Isolated Node – R5 Single Point of Connection – R6

R1

R2

R3

Area 1

R4

R8

H2

R7

R9

Area 2

R6

R10

R11

R12

R5

H1

R13

Area 3

AS

UCDavis SecLab

MURI October 2002


Slide8 l.jpg

Area 1 – R6

Area 2

R4

R6

R10

R11

R5

Area 3

Centralityof R6 greater even if degree of R6 unchanged

AS

UCDavis SecLab

MURI October 2002


Isolated node r5 centrality of routers r10 r11 r12 increases l.jpg
Isolated Node – R5 – R6Centrality of Routers R10, R11, R12 Increases

Area 1

Area 2

R4

R6

R10

R11

R12

R5

Area 3

AS

UCDavis SecLab

MURI October 2002


Subnet failure l.jpg
Subnet Failure – R6

R8

H2

R1

R2

R7

R9

R3

Area 1

Area 2

R4

R6

R10

R11

R12

R5

H1

R13

AS

Area 3

UCDavis SecLab

MURI October 2002


Link failure l.jpg
Link Failure – R6

R8

H2

R1

R2

R7

R9

R3

Area 1

Area 2

R4

R6

R10

R11

R12

R5

H1

R13

AS

Area 3

UCDavis SecLab

MURI October 2002


Second link failure temporal failure correlation l.jpg
Second Link Failure – Temporal Failure Correlation – R6

R8

H2

R1

R2

R7

R9

R3

Area 1

Area 2

R4

R6

R10

R11

R12

R5

H1

R13

AS

Area 3

UCDavis SecLab

MURI October 2002


Centrality of r5 increases enormously result large scale traffic redirection l.jpg
Centrality of R5 Increases Enormously – R6Result: Large Scale Traffic Redirection

R8

H2

R1

R2

R7

R9

R3

Area 1

Area 2

R4

R6

R10

R11

R12

R5

H1

R13

AS

Area 3

UCDavis SecLab

MURI October 2002


Compromised routers l.jpg
Compromised Routers – R6

Legitimately participate in routing protocol

  • Integrity mechanisms are in place

    • Routers do not masquerade as other routers

    • May place themselves in more routing paths

    • Influence local routing behavior

    • Actively disrupt global routing behavior

  • Suitable response

    • Place routers out of legitimate routing process before disruption is too great

UCDavis SecLab

MURI October 2002


Compromised routers contd l.jpg
Compromised Routers - Contd. – R6

Legitimately participate in routing protocol

  • Integrity mechanisms are not in place

    • Routers masquerade as other routers

    • Spoofing attack on victim routers

    • Rogue router remains invisible

  • Suitable Response

    • Re-route overloaded router traffic and enforce traffic congestion control policies

UCDavis SecLab

MURI October 2002


Centrality analysis l.jpg
Centrality – R6Analysis

  • Captures structurally central part of a network

  • Depends on point of view

    • may be nodes with most direct connections to neighbors, or

    • nodes that are most connected to network, or

    • the nodes that are closest to other points

UCDavis SecLab

MURI October 2002


Slide17 l.jpg

  • Degree Centrality – R6

    • Number of nodes to which a node is directly linked

    • Reflective of potential communication activity

    • Measure of vulnerability of node since high degree nodes will be less vulnerable to attack

    • Node of low degree is isolated and cut off from active participation in ongoing network activity

UCDavis SecLab

MURI October 2002


Slide18 l.jpg

UCDavis SecLab

MURI October 2002


Slide19 l.jpg

  • Betweenness centrality – R6

    • Based on frequency with which a node falls between pairs of other points on shortest paths between them

    • Overall index determined by summing partial values for all unordered pairs of points

    • Betweenness centrality of a node is greater if it lies on a greater number of shortest paths between other node pairs

    • Defines potential for control of communication

UCDavis SecLab

MURI October 2002


Slide20 l.jpg

Betweenness Centrality of a node – R6

Given nodes and with geodesics

(shortest paths) between them, the probability of

using any one of these paths is given by

UCDavis SecLab

MURI October 2002


Betweenness centrality of a node contd l.jpg
Betweenness Centrality of a Node – Contd. – R6

  • Thus, if = # of geodesics between

    and that contain , then the

    probability that falls on a randomly

    selected geodesic linking and is

    given by

    =

UCDavis SecLab

MURI October 2002


Slide22 l.jpg

  • Betweenness Centrality of a node – contd. – R6

    The overall centrality of a node is

    determined by summing the partial probabilities for

    all unordered pairs of points. Thus,

    where i ≠ j ≠ k

  • When a node falls on the only shortest path between a pair of points, the centrality of the point increments by 1

    • applicable in straightforward routing

  • With alternate geodesics, the centrality index grows in proportion to the frequency of occurrence of that node among the alternatives

    • applicable in equal-cost multi-path routing

  • UCDavis SecLab

    MURI October 2002


    Slide23 l.jpg

    UCDavis SecLab

    MURI October 2002


    Slide24 l.jpg

    • Approaches to resolve computational issues – R6

      • Modified definitions

        • egocentric approach

        • simplified egocentric approaches

      • Heuristics

        • Exploit sparsity of connections in large networks

        • Exploit correlation between degree centrality and betweenness centrality

    UCDavis SecLab

    MURI October 2002


    Recent work in intra domain routing protocols application to ospf l.jpg
    Recent Work in Intra-domain Routing Protocols – R6 (Application to OSPF)

    • Modified Definition of Betweenness Centrality:

      • Centrality of a node is determined with respect to root router of SPF tree

    • Advantages

      • Each router independently computes betweenness centrality indices of other routers

      • Piggyback betweenness centrality computation within Dijkstra SPF algorithm at each router

      • Each router can adopt independent response decisions based on this metric

    UCDavis SecLab

    MURI October 2002


    Slide26 l.jpg

    • Centrality Analysis in Ad hoc Networks – R6

      • Points of Interest

        • Absence of communication infrastructure

        • Each mobile node must also perform the duties of router

        • Dynamically establish routing among themselves to form ad hoc network

      • Routing Protocols being considered

        • Two routing protocols considered for standardization by IETF, namely, DSR and AODV

        • Hybrid ad hoc routing protocols that employ clustering and hierarchical techniques

    UCDavis SecLab

    MURI October 2002


    Slide27 l.jpg

    • Ongoing Work – R6

      • For each of DSR, AODV, other hybrids:

        • Develop functionality that abstracts global centrality information locally

        • Study role of heuristics in addressing computational issues

          • Ego-centric approaches

          • Correlation studies

        • Study limits of approach

    UCDavis SecLab

    MURI October 2002


    Slide28 l.jpg

    Ongoing Work – R6 – contd.

    • Simulate intrusive behavior of

    • malicious ad hoc hosts involving

    • - dense, complex networks

    • - with high node mobility and

    • - substantial dynamic topologies

    UCDavis SecLab

    MURI October 2002


    Slide29 l.jpg

    • Specific Tasks – R6

      • Modify ns-2 simulator modules to support elements of centrality analysis within ad hoc routing protocols

      • Performance analysis of estimates of centrality in presence of both node mobility and dynamic topologies as well as under specific node failure/link failure scenarios

    UCDavis SecLab

    MURI October 2002


    Fundamental motivation for monitoring routing l.jpg
    Fundamental Motivation for Monitoring Routing – R6

    • Provide a systematic framework for

      • developing security specifications/constraints

      • establishing bounds for secure network behavior

    • Create a more secure enhancement to an existing protocol

    • Develop a response mechanism for

      • Isolating intrusive behavior of a malicious node

      • Use as a QoS metric to prevent traffic congestion

  • Aspects to this study

    • describe knowledge available to each router

      • As a response mechanism, study feasibility of employing this information as a metric for

  • UCDavis SecLab

    MURI October 2002


    Slide31 l.jpg

    • Conclusions – R6

      • Abstract global network control behavior locally at a router

      • Capture changing topology to detect network wide routing attacks

      • Early detection possible

      • Subverting such monitoring harder

      • Selectively misrouted packets not detected with this approach

    UCDavis SecLab

    MURI October 2002