1 / 27

Intrusion Detection and Forensics for Self-defending Wireless Networks

Intrusion Detection and Forensics for Self-defending Wireless Networks. Yan Chen Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University http://list.cs.northwestern.edu. The Spread of Sapphire/Slammer Worms.

jonah
Download Presentation

Intrusion Detection and Forensics for Self-defending Wireless Networks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Intrusion Detection and Forensics for Self-defending Wireless Networks Yan Chen Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University http://list.cs.northwestern.edu

  2. The Spread of Sapphire/Slammer Worms

  3. The Current Threat Landscape of Wireless Networks • Wireless networks, crucial for GIG, face both Internet attacks and their unique attacks • Viruses/worms: e.g., 6 new viruses, including Cabir and Skulls, with 30 variants targeting mobile devices • Botnets: underground army of the Internet, emerging for wireless networks • Big security risks for wireless networks • Few formal analysis about wireless network protocol vulnerabilities • Existing (wireless) IDSes only focus on existing attacks • Ineffective for unknown attacks or polymorphic worms • Little work on attack forensics • E.g., how to identify the command-and-control (C&C) channel of botnets?

  4. Self-Defending Wireless Networks • Proactively search of vulnerability for wireless network protocols • Intelligent and thorough checking through combo of manual analysis + auto search with formal methods • First, manual analysis provide hints and right level of abstraction for auto search • Then specify the specs and potential capabilities of attackers in a formal language TLA+ (the Temporal Logic of Actions) • Then model check for any possible attacks • Defend against emerging threat • Worm: network-based polymorphic worm signature generations • Botnet: IRC (Internet relay chat) based C&C detection and mitigation

  5. Outline • Threat landscape and motivation • Our approach • Accomplishment of this year • Vulnerability analysis of Mobile IPv6 protocols • Polymorphic worm signature generation • Plan for the next year

  6. Accomplishments This Year (I) • Intelligent vulnerability analysis • Focused on outsider attacks, i.e., w/ unprotected msgs • Checked the complete spec of 802.16e before authentication • Found some vulnerability, e.g., for ranging (but needs to change MAC) • Checked the mobile IPv4/v6 • Find an easy attack to disable the route optimization of MIPv6 ! • Partnered with Motorola, very interested in the vulnerability found • Automatic polymorphic worm signature generation systems for high-speed networks • Fast, noise tolerant w/ proved attack resilience • Talking with Cisco IPS group for tech transfer • Patent filed

  7. Accomplishments This Year (II) • Six conference, one journal papers and a book chap • Honeynet-based Botnet Scan Traffic Analysis, invited book chapter for Botnet Detection: Countering the Largest Security Threat • Detecting Stealthy Spreaders Using Online Outdegree Histograms, in the Proc. of the 15th IEEE International Workshop on Quality of Service (IWQoS), 2007 (26.6%). • Hamsa: Fast Signature Generation for Zero-day Polymorphic Worms with Provable Attack Resilience, to appear in IEEE Symposium on Security and Privacy, 2006 (9%). • Towards Scalable and Robust Distributed Intrusion Alert Fusion with Good Load Balancing, in Proc. of ACM SIGCOMM Workshop on Large-Scale Attack Defense 2006(33%). • Automatic Vulnerability Checking of IEEE 802.16 WiMAX Protocols through TLA+, in Proc. of the Second Workshop on Secure Network Protocols (NPSec) (33%). • A DoS Resilient Flow-level Intrusion Detection Approach for High-speed Networks, to appear in IEEE International Conference on Distributed Computing Systems (ICDCS), 2006 (14%). • Reverse Hashing for High-speed Network Monitoring: Algorithms, Evaluation, and Applications, Proc. of IEEE INFOCOM, 2006 (18%). Full version to appear in ACM/IEEE Transaction on Networking.

  8. Mobile IPv6 (RFC 3775) • Provides mobility at IP Layer • Enables IP-based communication to continue even when the host moves from one network to another • Host movement is completely transparent to Layer 4 and above

  9. Mobile IPv6 - Entities • Mobile Node (MN) – Any IP host which is mobile • Correspondent Node (CN) – Any IP host communicating with the MN • Home Agent (HA) – A host/router in the Home network which: • Is always aware of MN’s current location • Forwards any packet destined to MN • Assists MN to optimize its route to CN

  10. Mobile IPv6 - Process • (Initially) MN is in home network and connected to CN • MN moves to a foreign network: • Registers new address with HA by sending Binding Update (BU) and receiving Binding Ack (BA) • Performs Return Routability to optimize route to CN by sending HoTI, CoTI and receiving HoT, CoT • Registers with CN using BU and BA

  11. Mobile Node Mobile IPv6 in Action Home Network HoT Internet Correspondent Mobile Node Home Agent Node HoTI BA CoT HoTI BA HoT CoTI BU BU Foreign Network

  12. Mobile IPv6 Vulnerability • Nullifies the effect of Return Routability • BA with status codes 136, 137 and 138 unprotected • Man-in-the-middle attack • Sniffs BU to CN • Injects BA to MN with one of status codes above • MN either retries RR or gives up route optimization and goes through HA

  13. Restart Return Silently Discard MIPv6 Attack In Action MN HA AT CN Start H o T I Return o C T I Routability H o T I T o C T o H T o H Bind Update (Sniffed by AT along the way) Bind Ack Spoofed by AT Routability Bind Ack Bind Ack • Only need a wireless network sniffer and a spoofed wired machine (No MAC needs to be changed !) • Bind ACK often skipped by CN

  14. MIPv6 Vulnerability - Effects • Performance degradation by forcing communication through sub-optimal routes • Possible overloading of HA and Home Link • DoS attack, when MN repeatedly tried to complete the return routability procedure • Attack can be launched to a large number of machines in their foreign network • Small overhead for continuously sending spoofed Bind ACK to different machines

  15. TLA Analysis and Experiments • With the spec modeled in TLA, the TLC search gives two other similar attacks w/ the same vulnerability • Complete the search of vulnerabilities w/ unprotected messages • Implemented and tested in our lab • Using Mobile IPv6 Implementation for Linux (MIPL) • Tunnel IPv6 through IPv4 with Generic Routing Encapsulation (GRE) by Cisco • When attack in action, MN repeatedly tried to complete the return routability procedure – DOS attack !

  16. Outline • Threat landscape and motivation • Our approach • Accomplishment of this year • Vulnerability analysis of Mobile IPv6 protocols • Polymorphic worm signature generation • Plan for the next year

  17. Deployment of SDWN • Attached to a switch connecting BS as a black box • Enable the early detection and mitigation of global scale attacks • Significantly more challenging compared w/ host-based IDS/IPS • Huge data volume and lack of host-level information Users Internet Internet Users SDWN system 802.1x BS 802.1x scan port BS Router/switch Switch/ BS controller 802.1x BS 802.1x BS Gateway Users Honeynet Users SDWN system (a) (b) SDWN deployed Original configuration

  18. Automatic Length Based Worm Signature Generation • Majority of worms exploit buffer overflow vulnerabilities • Worm packets have a particular field longer than normal • Length signature generation • Parse the traffic to different fields • Find abnormally long field • Apply a three-step algorithm to determine a length signature • Length based signature is hard to evade if the attacker has to overflow the buffer.

  19. Length Based Signature Generator

  20. Evaluation of Signature Quality • Seven polymorphic worms based on real-world vulnerabilities and exploits from securityfocus.com • Real traffic collected at two gigabit links of a campus edge routers in 2006 (40GB for evaluation) • Another 123GB SPAM dataset

  21. Outline • Threat landscape and motivation • Our approach • Accomplishment • Achievement highlight: a Mobile IPv6 vulnerability • Plan for the next year • Insider attack analysis • Complete the polymorphic worm signature generation • Intrusion forensics for botnet command and control channel detection

  22. Insider Attack Analysis • Not hard to become a subscriber • Can five subscribers bring down an entire wireless network (e.g., WiMAX) ? • Check vulnerability after authentication • Plan to analyze various layers of WiMAX networks • IEEE 802.16e: MAC layer • Mobile IP v4/6: network layer • EAP layer

  23. 802.16e SS Init Flowchart

  24. Work Done

  25. Future work

  26. Intrusion Detection and Forensics for Self-defending Wireless Networks Yan Chen, Northwestern University Tel. (847) 491-4946, E-Mail: ychen@northwestern.edu • Proactively secure the wireless networks • Search of network protocol vulnerabili- ties • Automatically detect and filter unknown and/or polymorphic worms • Intrusion forensics and mitigation for botnet-based attacks Objective Internet Users SDWN system 802.1x scan port BS Switch/ BS controller 802.1x BS Gateway Honeynet Users SDWN system Accomplishments • Successfully check for outsider attack vulnerabilities of MIP v4/6 and 802.16e (WiMAX) protocols • Network-based automatic signature generations Challenges • State space explosion for vulnerability search w/ formal methods • Large amount of traffic to monitor on high-speed links • Intelligent and complete vulnerability search through the combo of manual analysis & verification via formal methods • Network-based automatic signature generation for polymorphic worms • Botnet command-and-control channel detection and mitigation Scientific/Technical Approach

  27. Conclusions • Vulnerability analysis of wireless network protocols: 802.16e and mobile IP specs • Network-based polymorphic worm signature generation for self-defending wireless networks Thank You !

More Related