1 / 31

Intrusion Monitoring of Malicious Routing Behavior

Intrusion Monitoring of Malicious Routing Behavior Poornima Balasubramanyam Karl Levitt Computer Security Laboratory Department of Computer Science UCDavis Security Threats Outsider attacks infiltrate routing process modify routing information

Audrey
Download Presentation

Intrusion Monitoring of Malicious Routing Behavior

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Intrusion Monitoring of Malicious Routing Behavior Poornima Balasubramanyam Karl Levitt Computer Security Laboratory Department of Computer Science UCDavis

  2. Security Threats • Outsider attacks • infiltrate routing process • modify routing information • cause redirection of network traffic, DoS attacks, etc. countermeasure - use of strong integrity mechanisms UCDavis SecLab MURI October 2002

  3. Security Threats – Contd. • Insider attacks • Compromised rogue routers • legitimately participate in routing protocol • influence local routing behavior • actively disrupt global routing behavior • Integrity mechanisms are in place • Routers do not masquerade as other routers • Integrity mechanisms are not in place • Routers masquerade as other routers. UCDavis SecLab MURI October 2002

  4. Intrusion Monitoring of Networks • Most intrusion monitoring is fine-grained • E.g., network packet analysis • Some intrusions require higher level monitoring • Intrusive behavior may be visible earlier • Our approach is aimed at multi-grained intrusion monitoring UCDavis SecLab MURI October 2002

  5. Sample Network R8 H2 R1 R2 R7 R9 R3 Area 1 Area 2 R4 R6 R10 R11 R12 R5 H1 R13 AS Area 3 UCDavis SecLab MURI October 2002

  6. Link R4-R5 Is Down R8 H2 R1 R2 R7 R9 R3 Area 1 Area 2 R4 R6 R10 R11 R12 R5 H1 R13 AS Area 3 UCDavis SecLab MURI October 2002

  7. Newly Isolated Node – R5 Single Point of Connection – R6 R1 R2 R3 Area 1 R4 R8 H2 R7 R9 Area 2 R6 R10 R11 R12 R5 H1 R13 Area 3 AS UCDavis SecLab MURI October 2002

  8. Area 1 Area 2 R4 R6 R10 R11 R5 Area 3 Centralityof R6 greater even if degree of R6 unchanged AS UCDavis SecLab MURI October 2002

  9. Isolated Node – R5 Centrality of Routers R10, R11, R12 Increases Area 1 Area 2 R4 R6 R10 R11 R12 R5 Area 3 AS UCDavis SecLab MURI October 2002

  10. Subnet Failure R8 H2 R1 R2 R7 R9 R3 Area 1 Area 2 R4 R6 R10 R11 R12 R5 H1 R13 AS Area 3 UCDavis SecLab MURI October 2002

  11. Link Failure R8 H2 R1 R2 R7 R9 R3 Area 1 Area 2 R4 R6 R10 R11 R12 R5 H1 R13 AS Area 3 UCDavis SecLab MURI October 2002

  12. Second Link Failure – Temporal Failure Correlation R8 H2 R1 R2 R7 R9 R3 Area 1 Area 2 R4 R6 R10 R11 R12 R5 H1 R13 AS Area 3 UCDavis SecLab MURI October 2002

  13. Centrality of R5 Increases EnormouslyResult: Large Scale Traffic Redirection R8 H2 R1 R2 R7 R9 R3 Area 1 Area 2 R4 R6 R10 R11 R12 R5 H1 R13 AS Area 3 UCDavis SecLab MURI October 2002

  14. Compromised Routers Legitimately participate in routing protocol • Integrity mechanisms are in place • Routers do not masquerade as other routers • May place themselves in more routing paths • Influence local routing behavior • Actively disrupt global routing behavior • Suitable response • Place routers out of legitimate routing process before disruption is too great UCDavis SecLab MURI October 2002

  15. Compromised Routers - Contd. Legitimately participate in routing protocol • Integrity mechanisms are not in place • Routers masquerade as other routers • Spoofing attack on victim routers • Rogue router remains invisible • Suitable Response • Re-route overloaded router traffic and enforce traffic congestion control policies UCDavis SecLab MURI October 2002

  16. CentralityAnalysis • Captures structurally central part of a network • Depends on point of view • may be nodes with most direct connections to neighbors, or • nodes that are most connected to network, or • the nodes that are closest to other points UCDavis SecLab MURI October 2002

  17. Degree Centrality • Number of nodes to which a node is directly linked • Reflective of potential communication activity • Measure of vulnerability of node since high degree nodes will be less vulnerable to attack • Node of low degree is isolated and cut off from active participation in ongoing network activity UCDavis SecLab MURI October 2002

  18. Degree Centrality of a node is given by: UCDavis SecLab MURI October 2002

  19. Betweenness centrality • Based on frequency with which a node falls between pairs of other points on shortest paths between them • Overall index determined by summing partial values for all unordered pairs of points • Betweenness centrality of a node is greater if it lies on a greater number of shortest paths between other node pairs • Defines potential for control of communication UCDavis SecLab MURI October 2002

  20. Betweenness Centrality of a node Given nodes and with geodesics (shortest paths) between them, the probability of using any one of these paths is given by UCDavis SecLab MURI October 2002

  21. Betweenness Centrality of a Node – Contd. • Thus, if = # of geodesics between and that contain , then the probability that falls on a randomly selected geodesic linking and is given by = UCDavis SecLab MURI October 2002

  22. Betweenness Centrality of a node – contd. The overall centrality of a node is determined by summing the partial probabilities for all unordered pairs of points. Thus, where i ≠ j ≠ k • When a node falls on the only shortest path between a pair of points, the centrality of the point increments by 1 • applicable in straightforward routing • With alternate geodesics, the centrality index grows in proportion to the frequency of occurrence of that node among the alternatives • applicable in equal-cost multi-path routing UCDavis SecLab MURI October 2002

  23. Computation of betweenness centrality • Traditional summation methods are very costly, requiring O(n^3) time and O(n^2) space for n nodes and e edges UCDavis SecLab MURI October 2002

  24. Approaches to resolve computational issues • Modified definitions • egocentric approach • simplified egocentric approaches • Heuristics • Exploit sparsity of connections in large networks • Exploit correlation between degree centrality and betweenness centrality UCDavis SecLab MURI October 2002

  25. Recent Work in Intra-domain Routing Protocols (Application to OSPF) • Modified Definition of Betweenness Centrality: • Centrality of a node is determined with respect to root router of SPF tree • Advantages • Each router independently computes betweenness centrality indices of other routers • Piggyback betweenness centrality computation within Dijkstra SPF algorithm at each router • Each router can adopt independent response decisions based on this metric UCDavis SecLab MURI October 2002

  26. Centrality Analysis in Ad hoc Networks • Points of Interest • Absence of communication infrastructure • Each mobile node must also perform the duties of router • Dynamically establish routing among themselves to form ad hoc network • Routing Protocols being considered • Two routing protocols considered for standardization by IETF, namely, DSR and AODV • Hybrid ad hoc routing protocols that employ clustering and hierarchical techniques UCDavis SecLab MURI October 2002

  27. Ongoing Work • For each of DSR, AODV, other hybrids: • Develop functionality that abstracts global centrality information locally • Study role of heuristics in addressing computational issues • Ego-centric approaches • Correlation studies • Study limits of approach UCDavis SecLab MURI October 2002

  28. Ongoing Work – contd. • Simulate intrusive behavior of • malicious ad hoc hosts involving • - dense, complex networks • - with high node mobility and • - substantial dynamic topologies UCDavis SecLab MURI October 2002

  29. Specific Tasks • Modify ns-2 simulator modules to support elements of centrality analysis within ad hoc routing protocols • Performance analysis of estimates of centrality in presence of both node mobility and dynamic topologies as well as under specific node failure/link failure scenarios UCDavis SecLab MURI October 2002

  30. Fundamental Motivation for Monitoring Routing • Provide a systematic framework for • developing security specifications/constraints • establishing bounds for secure network behavior • Create a more secure enhancement to an existing protocol • Develop a response mechanism for • Isolating intrusive behavior of a malicious node • Use as a QoS metric to prevent traffic congestion • Aspects to this study • describe knowledge available to each router • As a response mechanism, study feasibility of employing this information as a metric for UCDavis SecLab MURI October 2002

  31. Conclusions • Abstract global network control behavior locally at a router • Capture changing topology to detect network wide routing attacks • Early detection possible • Subverting such monitoring harder • Selectively misrouted packets not detected with this approach UCDavis SecLab MURI October 2002

More Related