Resource Discovery/Management by 53U5z2

VIEWS: 13 PAGES: 61

									             Spyware on Internet.
            Sybil Attacks on Sensor
                   Networks.
                csci599 Spring 2004
                                         
                 Siddharth Thakkar


                csci 599 - Sp'04 Presentation: Spyware & Sybil Attacks
14-Jun-12                         - Siddharth Thakkar                    1
Presentation Outline
   Spyware
           Introduction
           Spyware basics and Classes
           Study in the Paper: Gator, eZula, SaveNow, Cydoor
           Analysis
           Results - details
           Spyware Vulnerabilities
           Scaling on to the Internet
           Conclusions
   Sybil Attacks
           Introduction & Basics
           Taxonomy
           Attacks
           Defenses: Especially Random Key Distribution Approaches
           Summary
           In P2P networks


14-Jun-12           csci 599 - Sp'04 Presentation: Spyware & Sybil Attacks - Siddharth Thakkar   2
                       Spyware
Reference: Measurement and Analysis of Spyware in
      a University Environment – Saroiu et al.




              csci 599 - Sp'04 Presentation: Spyware & Sybil Attacks
 14-Jun-12                      - Siddharth Thakkar                    3
Introduction –Stealth/Parasite programs
   Stealth and Parasite Programs:
       CIAC Technical report (Nov 2002)
       Distributed and installed along with a known program.
       get onto a system by piggybacking on an installer
       Not Viruses! Viruses attach themselves to other programs in
        order to steal a ride onto another person’s system
       Parasite programs are intentionally attached to the programs
        they ride on.
       Classes:
              Adware: advertisements, web-pages, pop-ups or cookies from
               Browsers - when you access a web page that contains an ad from the
               adware server.
              Spyware: Intelligently “spy” on all your browsing activity, looking into
               browser temp files/cookies/histories and all collected information is
               sent back to the spyware server to target future misuse of information.
              Stealth Networks: Networks of computers, usually P2P, to store files
               on and queue jobs for execution on someone else’s system (needs
               program installed there)
              Browser Helper Objects: BHOs are essentially add-in programs
               /executable code for IE – difficult to detect – have to clean Registry.

14-Jun-12       csci 599 - Sp'04 Presentation: Spyware & Sybil Attacks - Siddharth Thakkar   4
Spyware – Basics
   Definition: (user’s perspective)
       Software that gathers information about the computer’s use
        (with or without user’s consent) and relays it back to a 3rd
        party for its benefit.
   Risks:
           User’s privacy is compromised
           Affect usability/stability of user’s computing environment
           Can Self-Update & Introduce new security vulnerabilities
           Can put millions of computers at risk
   Why do they exist? :
       Because information is valuable and can be capitalized upon.
   How can I get it?
           Your behavior
           Popular software with embedded spyware
           Website prompting to install browser extensions
           Cookies to track behavior across cooperating websites
           Usability Vs. Security: O.S.s are meant to be extensible!
14-Jun-12           csci 599 - Sp'04 Presentation: Spyware & Sybil Attacks - Siddharth Thakkar   5
Classes of Spyware (characteristics,
working and threats) - 1
   Cookies and Web Bugs
       Passive form of Spyware (no code of their own)
       Cookies:
             State stored in clients’ web browsers
             Website/general Advertisement providers who stored can
              retrieve them.
             Can track user’s behavior across various sites
       Web Bugs
             Invisible images embedded in page placed by
              advertisement networks
   Browser Hijackers
       Try to change browser settings (start page, search) by:
             BHOs (helper objects), windows registry, browser
              preference files

14-Jun-12         csci 599 - Sp'04 Presentation: Spyware & Sybil Attacks - Siddharth Thakkar   6
Classes of Spyware (characteristics,
working and threats) - 2
   Keyloggers
       Record all keystrokes
       Passwords, credit card numbers, etc.
       New ones capture logs of visited sites, chat sessions,
        windows and programs opened.
   Tracks
       Application records info. About user’s actions (recently
        visited websites)
       O.S. also does it. Such Tracks can be mined by
        malicious programs.
   Malware
       Viruses, worms, trojan horses, automatic phone dialers!


14-Jun-12      csci 599 - Sp'04 Presentation: Spyware & Sybil Attacks - Siddharth Thakkar   7
Classes of Spyware (characteristics,
working and threats) - 3
   Spybots
       Prototypical example of spyware
       Monitor user’s behavior, collects activity logs,
        transmits them to 3rd party
       Info. Like web form data, email addresses for
        spam, URL lists, etc.
       Installed as BHO, or DLL, or separate process
        on O.S. booting!
   Adware
       Benign variety of Spybots.
       Display advertisements tuned to user’s
        activity, reporting browsing behavior.

14-Jun-12     csci 599 - Sp'04 Presentation: Spyware & Sybil Attacks - Siddharth Thakkar   8
Show me a reason to worry!
   The extent denoted by:
       Results of this paper (we’ll see soon)
       Spyware Signatures
             E.g. SpyBot S&D program has 790 signatures as of Jan
              27th, 2004.




     The spread:
         Freeware/Shareware:
              Authors downloaded (10 famous titles reporting 872
               million downlaods) from http://download.com
              Kazaa, iMesh, Morpheus, Download Accelerator had
               spyware!
              12 spyware in free Kazaa (MORAL: there’s no free meal!)
              Kazaa’s paid version doesn’t have spyware!! 
14-Jun-12         csci 599 - Sp'04 Presentation: Spyware & Sybil Attacks - Siddharth Thakkar   9
Spyware studied by this paper
   Aim:
       First academic attempt to understand the nature and
        extent of spyware, for attention of research community.
       Studied software versions between Aug 03 to Jan 04.
       Network signatures to detect spyware. Traces of traffic
        between Univ. of Washington and the Internet.
   Focused on 4 spyware: Gator, Cydoor, SaveNow,
    eZula
       All are from the Spybot or Adware class
       Affect approx. 5.1% of active university hosts.
       Can easily get into user’s system via free software
       Easy to derive signatures by sniffing n/w traffic (they
        use http with their servers)
       Bad servers listed using name/IP lists as. in ARIN & RIPE
        registries
14-Jun-12      csci 599 - Sp'04 Presentation: Spyware & Sybil Attacks - Siddharth Thakkar   10
Gator - 1
   An Adware AKA: OfferCompanion, Trickler, GAIN
       collects/transmits user’s web activity info.(URLs visited),
        demographic info (name, zipcode), computer
        configuration info.
       Generates user’s profile of interests and targets
        advertisements
   Installed by:
       Free s/w by Claria Corporation
       P2P clients
       Websites prompting popups to install
   Runs as:
       DLL linked with free s/w
       Own process: gain.exe, cmesys.exe
   Capable of “Self-updating” !!
14-Jun-12      csci 599 - Sp'04 Presentation: Spyware & Sybil Attacks - Siddharth Thakkar   11
Gator – 2
   Smartness
       Usually spyware can be “de-fang”ed
            hosts.txt file can be manipulated to remap the DNS
             names of spyware servers by adding adding entries.
       Gator on the other hand…
            Comments out entries referring to gator.com
            Caches IP addresses of gator.com DNS names.
            You are a l-user! 




14-Jun-12        csci 599 - Sp'04 Presentation: Spyware & Sybil Attacks - Siddharth Thakkar   12
Cydoor
   About
       Made by Cydoor Technologies
       Client prefetches targeted pop-up advertisements from
        servers when containing App. Is run
       Online or Offline!
       Gets user’s demographic info. From a Questionnaire
        filled while installing the containing application!
       Inside scoop :
             Company also offers a free SDK
                To use to embed Cydoor DLL in any Windows programs and
                 generate revenue for them.
                Removal of the DLL causes program to crash!
             Don’t spread the word! 



14-Jun-12         csci 599 - Sp'04 Presentation: Spyware & Sybil Attacks - Siddharth Thakkar   13
SaveNow
   About
       Save.exe image
       Show advertisements when user appears to be
        shopping
       Doesn’t transmit information to servers
       But still collects such info. To target ads
       Contacts server to update its advertisement-
        cache
       Comes with P2P free s/w. (Kazaa)



14-Jun-12    csci 599 - Sp'04 Presentation: Spyware & Sybil Attacks - Siddharth Thakkar   14
eZula
   About
       Ezulamain.exe process
       AKA – TopText, ContextPro, HotText
       Attached to browser; Modifies incoming HTML
        to create “links” to ads on keywords
       “artificial links” are highlighted to redirect
        away from original legitimate advertisers to its
        own!
       Bundled with free P2P s/w (Kazaa, LimeWire)
        or as a standalone tool.
       Can “Self-Update”!

14-Jun-12     csci 599 - Sp'04 Presentation: Spyware & Sybil Attacks - Siddharth Thakkar   15
Analysis – Goals & Methodology
1.     To understand how widespread spyware
       is within the Univ. of Washington at…
       Individual clients’ granularity
       Academic departments’ granularity
2.     Gain insight into kinds of user behavior
       that are correlated with spyware.
      Monitoring Host & Traces
       Relevant info. of HTTP activity from
        reconstructed TCP/HTTP request/response
        streams is Logged at the Monitoring Host.
       Sensitive information (IP) is anonymized
        using 1-way hashing.
14-Jun-12    csci 599 - Sp'04 Presentation: Spyware & Sybil Attacks - Siddharth Thakkar   16
Analysis - Environment
   Univ. of Washington Infrastructure




14-Jun-12   csci 599 - Sp'04 Presentation: Spyware & Sybil Attacks - Siddharth Thakkar   17
Aside- some USC network facts
   Network as presented in June 03: (James Pepin,
    ISD)




14-Jun-12   csci 599 - Sp'04 Presentation: Spyware & Sybil Attacks - Siddharth Thakkar   18
Analysis – Limitations/Assumptions
   Anonymization
       2bits of IP lost. Can’t uniquely find IP of infected client
   DHCP effect
       No fix client IP. So dial-up excluded.
       But even with all this, Gator infected clients could be
        numbered!
             Gator happens to provide a unique identifier in its request
              packets 
   Signature analysis
       Might miss some spyware traffic because of pattern
        matching errors
             But result would be “underestimated” value, Threat might
              be higher!




14-Jun-12         csci 599 - Sp'04 Presentation: Spyware & Sybil Attacks - Siddharth Thakkar   19
Results – Spread of Spyware - 1
   Traces Summary (Table 3)




14-Jun-12   csci 599 - Sp'04 Presentation: Spyware & Sybil Attacks - Siddharth Thakkar   20
Results – Spread of Spyware - 2
   Gator: 3.4% clients that communicated during
    the study (weeklong trace)
   Cydoor: 1.3%
   SaveNow: 1.3%
   eZula: 0.2%
   Bad news:
       In total, 1587 clients (5.1% of total hosts) infected with
        one or more spyware programs!
       This is just 4 programs studied!
       Gator:
             Only 52 new installations found over the week by studying
              Gator client “registration” packets and “timestamp” with
              date of installation.
             Means many Gators were installed months/years in the
              past!
14-Jun-12         csci 599 - Sp'04 Presentation: Spyware & Sybil Attacks - Siddharth Thakkar   21
Results – Spread of Spyware - 3
            Dates discovered for 872 out of                          Values indicate
               the 1077 Gator Clients.                               percentage of 872




14-Jun-12      csci 599 - Sp'04 Presentation: Spyware & Sybil Attacks - Siddharth Thakkar   22
Results – Modem Vs. Non-Modems
   Modem Pool IPs
       Though DHCP made authors exclude dialup IPs
       Gator timestamps used to identify uniquely
        within the modem-pool clients
       942 Gator installations out of 12,435 accounts
        using modem-pool. (7.6%)
       Note that 872 were already in the 31,303 host-
        non-modem pool network (2.8%)
       Which means…
            Spyware is prevalent on personally-owned computers
            But also significance presence even in University
             computers !!

14-Jun-12        csci 599 - Sp'04 Presentation: Spyware & Sybil Attacks - Siddharth Thakkar   23
Results – Cross Infection rates - 1




14-Jun-12   csci 599 - Sp'04 Presentation: Spyware & Sybil Attacks - Siddharth Thakkar   24
Results – Cross Infection rates - 2
   Once infected, forever vulnerable!
       eZula
            Only 28.6% of eZula infected hosts are infected with
             ONLY eZula
            Whatever’s causing eZula infections also causes
             infections of other Spyware programs!
            Spyware open new vulnerabilities!




14-Jun-12        csci 599 - Sp'04 Presentation: Spyware & Sybil Attacks - Siddharth Thakkar   25
Results – Web activity - 1
   Usual causes:
       P2P client software
       Downloading/installing executables off the
        internet
       Software bundled with spyware.
       Correlation for such activity can be derived.
        (graphs in following slide)




14-Jun-12     csci 599 - Sp'04 Presentation: Spyware & Sybil Attacks - Siddharth Thakkar   26
Results – Web activity - 2
                                                               Servers contacted by
                                                                infected clients




       Servers contacted
        by ALL clients



14-Jun-12      csci 599 - Sp'04 Presentation: Spyware & Sybil Attacks - Siddharth Thakkar   27
Results – Web activity - 3
                                                                 Web request issued
                                                                  by infected clients




           Web requests
            issued by ALL
                   clients

14-Jun-12        csci 599 - Sp'04 Presentation: Spyware & Sybil Attacks - Siddharth Thakkar   28
Results – Downloading executables




14-Jun-12   csci 599 - Sp'04 Presentation: Spyware & Sybil Attacks - Siddharth Thakkar   29
Results – Using P2P File-sharing
   Analysis revealed that…
       38% of clients issuing at least one Kazaa
        request were infected by spyware!
            Mainly containing Cydoor, and Gator (28.2% & 17%
             respectively.)
            Compared to previous table (Web clients/requests)
                These values are almost 22 times higher!
                Implies…file sharing programs expose clients to
                 spyware.!
                Kazaa is not the only one.!




14-Jun-12        csci 599 - Sp'04 Presentation: Spyware & Sybil Attacks - Siddharth Thakkar   30
Results – Today’s Security Infrastructure
   Spyware bypass it!
       Univ. of Washington Core is centrally managed
             Each department is responsible for managing its own
              systems/security policies.
                Independent trust domain, with own set of defenses
                Still 69% of organizations are infected with at least one
                 variety of spyware!
                    64% have Gator!
             Perimeter protection mechanisms such as Firewalls are not
              helpful!
                Spyware need cooperation from user (willing or not willing)
             An exploit could leave major network vulnerable!
                47 of top most popular web-servers in Univ. share a subnet
                 with Gator client
                    Backdoor in spyware can lead the attacker easily inside
                     major trust boundary!

14-Jun-12         csci 599 - Sp'04 Presentation: Spyware & Sybil Attacks - Siddharth Thakkar   31
Bugs in Spyware?!
   Gator/eZula
       Client (Software) downloads updates for code
        and data
       Doesn’t verify authenticity or integrity of the
        downloaded archive before extracting files
        from it.
       Attacker can cause his/her OWN file to be
        extracted by hijacking/spoofing gator.com or
        ezula.com!
       Authors “reported” this vulnerability to make
        the spyware stronger and “secure” ??!!!!


14-Jun-12     csci 599 - Sp'04 Presentation: Spyware & Sybil Attacks - Siddharth Thakkar   32
Finally, Scaling it on to the Internet
   Kazaa as an example
       Kazaa users counters on websites report 4
        million concurrent clients.
       Using this paper’s 38% infection rate, estimate
        is …
            1.5 million spyware infected hosts active on Kazaa
             network!!
       Estimate based on external Kazaa hosts
        contacting Univ. of Washington hosts, is that…
            2.6 million spyware-infected Kazaa hosts!
       Research at UC Berkeley estimates this to be
        3.4 million!

14-Jun-12        csci 599 - Sp'04 Presentation: Spyware & Sybil Attacks - Siddharth Thakkar   33
Spyware – Conclusions/Comments
   This Paper
       Authors present a very justified argument about the
        spread of Spyware in a controlled environment as Univ.
        of Washington
       Results serve as an alert to the research community.
       Active monitoring of network traffic avoids doubts!
   Spyware
       Significant local and global security implications
       Next trend after annoying banners 
       Signatures can ease detection
       Free software are the most harmful
       Wide spread make spyware a potential entry for any
        system-wide vulnerability break-down!
       Need alert system administration for regular cleanup!
       Social aspects – train the users to avoid clicking OK
        without reading! 

14-Jun-12      csci 599 - Sp'04 Presentation: Spyware & Sybil Attacks - Siddharth Thakkar   34
              Sybil Attacks
  Reference: The Sybil Attack in Sensor Network:
     Analysis and Defenses by Newsome et al.




              csci 599 - Sp'04 Presentation: Spyware & Sybil Attacks
14-Jun-12                       - Siddharth Thakkar                    35
Sybil Attacks - Introduction
   The term “Sybil” attack:
       Sybil Dorsett, a survivor of child abuse who was
        diagnosed with the first multiple personality disorder,
        reveals that she played host to sixteen separate and
        distinct personalities before making the long journey to
        recovery.
   Definition
       In networks,
             An attack where the attacker posses multiple identities – a
              malicious node behaves as if it were a larger number of
              nodes, by impersonating other nodes or simply by claiming
              false identities!
       First identified for P2P networks by John Douceur.


14-Jun-12         csci 599 - Sp'04 Presentation: Spyware & Sybil Attacks - Siddharth Thakkar   36
Sybil attacks and Sensor Networks
   Motivation
       Sensor networks may monitor critical information.
       Sybil attacks may exploit, confuse or overwhelm the
        sensor network.
       Need to identify, classify such attacks
       Need to choose the best defense mechanism for sensor
        networks.
   This paper:
       Is the first study of Sybil attacks for Sensor Networks
       Authors attempt to identify attacks, classify them and
        then evaluate various Defense mechanisms!




14-Jun-12      csci 599 - Sp'04 Presentation: Spyware & Sybil Attacks - Siddharth Thakkar   37
Sybil Attacks Taxonomy -1
   For Sensor networks:

                                   Sybil Attacks



      Communication                     Identity                                 Simultaneity


     Direct   Indirect

                                     Fabricated                 Stolen


                                                 Non-Simultaneous                            Simultaneous



14-Jun-12       csci 599 - Sp'04 Presentation: Spyware & Sybil Attacks - Siddharth Thakkar             38
Sybil Attacks Taxonomy -2
   Direct:
       Malicious node listens to Radio message from legitimate node!
   Indirect:
       Messages to Sybil node are routed through one of the malicious
        nodes!
   Fabricated:
       For. E.g. Attacker assigns each Sybil node a random-bit value if each
        node is generally identified by a 32-bit integer
   Stolen:
       If mechanism can identify legitimate node identities, Attacker needs to
        assign other legitimate identities by destroying or temporarily
        disabling the impersonated identities
   Simultaneous:
       All Sybil identities participate in the network at once, may be cycle
        through!
   Non-Simultaneous:
       Attacker having large number of identities over time, he may only act
        as a smaller number at any given time. May be Leave and Join
        multiple times with separate identities!



14-Jun-12         csci 599 - Sp'04 Presentation: Spyware & Sybil Attacks - Siddharth Thakkar   39
List of Sybil Attacks -1
   Known Attacks
       Distributed Storage
             Can defeat replication and fragmentation mechanism
             Easily defeat DHTs based on Geographic Hash (GHT)’s
                System designed to replicate data on several nodes
                But it might be storing on Sybil identities generated by
                 malicious node! 
       Routing
             Multipath or Dispersity Routing
                Seemingly disjoint paths could in fact go through a single
                 malicious node presenting several Sybil identities 
             Geographic routing
                Sybil node could appear at multiplce locations. 
             Attempt to Detect routing attacks like BlackHoles
                Sybil attack could confuse the detection mechanism! 

14-Jun-12         csci 599 - Sp'04 Presentation: Spyware & Sybil Attacks - Siddharth Thakkar   40
List of Sybil Attacks -2
   New Attacks
       Data Aggregation
            One malicious node could contribute to the computed
             aggregate of readings many times.
            May completely alter the aggregate reading! 
       Voting
            Wireless Sensor networks use voting for many tasks.
            Sybil attack for false ballots or ballot-stuffing! 
            May be able to determine/influence outcome of any
             vote to declare a legitimate node as misbehaving! 
            May save a misbehaving node by favoring votes!



14-Jun-12        csci 599 - Sp'04 Presentation: Spyware & Sybil Attacks - Siddharth Thakkar   41
List of Sybil Attacks -3
       Fair Resource Allocation
            Used to allow a malicious node to obtain an unfair
             share of shared resource (like radio channel).
            Denial of service to legitimate nodes
            Gives attacker more resources to perform More
             attacks! 
       Misbehavior Detection
            Usually, due to false-positives considerations, any
             misbehavior detection system delays action.
            An attacker with Sybil identities could “spread the
             blame” and pass unnoticed by only small misbehavior
             per identity! 
            If action taken to revoke an identity, attacker can
             create new identities and continue misbehavior
             without himself getting revoked! 

14-Jun-12        csci 599 - Sp'04 Presentation: Spyware & Sybil Attacks - Siddharth Thakkar   42
Vulnerable protocols




14-Jun-12   csci 599 - Sp'04 Presentation: Spyware & Sybil Attacks - Siddharth Thakkar   43
Sybil Attack – Identity Validation
   Identity Validation
       Types:
            DIRECT VALIDATION: node directly tests another
             node identity
            INDIRECT VALIDATION: nodes that have already
             been verified are allowed to vouch for or refute other
             nodes.
   Note:
       Paper focuses on Direct Validation schemes
        only.



14-Jun-12        csci 599 - Sp'04 Presentation: Spyware & Sybil Attacks - Siddharth Thakkar   44
Defenses
   Previous Defenses
       Resource testing:
            Assumption: limited resource per physical entity
            Verify that each identity has as much of tested
             resource as the physical device.
            More implies multiple identities!
            Communication as a critical resource for Sensor
             Networks
                One method: Broadcast a request of identities and
                 accept replies that occur within a given time interval.
                Unsuitable for wireless sensor networks because of
                 network congestion by all replies! 
       New Defenses
            New approaches suggested by the Authors
            Topics to follow ->
14-Jun-12        csci 599 - Sp'04 Presentation: Spyware & Sybil Attacks - Siddharth Thakkar   45
Radio Resource Testing -1
   Assumption
       Physical device has only 1
        radio and can’t send/receive
        on more than 1 channel
        simultaneously
   Working
       A verifier s assigns its n
        neighbors different channels.
       Listens on a randomly chosen
        channel.
       If neighbor was assigned that
        channel is legitimate, it
        should hear the message.
       Choosing a channel to listen
        which isn’t being transmitted
        on, is a Sybil node detection!
             Probability = s/n
             Probability of Not detecting
              sybil node = (n-s)/n
             If repeated for r rounds, its =
              ((n-s)/n)r



14-Jun-12           csci 599 - Sp'04 Presentation: Spyware & Sybil Attacks - Siddharth Thakkar   46
Radio Resource Testing -2
   Case: Not enough channels
       To assign to each neighbor
       Can test c neighbors at a time, does r rounds
       There are S Sybil nodes, M malicious nodes and G good
        nodes




       More channels means easy/faster to detect (See next
        graph)


14-Jun-12     csci 599 - Sp'04 Presentation: Spyware & Sybil Attacks - Siddharth Thakkar   47
Radio Resource Testing -3
   Advantages
       Effective defense against
        simultaneous direct-
        communication variant
        of Sybil attacks.
   Disadvantages
       Assumptions that device
        can’t send on multiple
        channels simultaneously!
       Software radio negates
        this assumption!




14-Jun-12        csci 599 - Sp'04 Presentation: Spyware & Sybil Attacks - Siddharth Thakkar   48
Random Key Predistribution - 1
   Basic Idea
       Assign a random set of keys or key-related
        info. To each node…
       Key-setup phase:
            each node can computer the common keys it shares
             with neighbors
            Shared secret session key for node-to-node secrecy!
       Key Validation:
            Network able to verify part or all of the keys that an
             identity claims to have!
            Bad guy might’ve been able to capture only limited
             set of keys.
                Little probability that arbitrarily generated identity will
                 work!

14-Jun-12        csci 599 - Sp'04 Presentation: Spyware & Sybil Attacks - Siddharth Thakkar   49
Random Key Predistribution - 2
   Validation
       2 ways:
            Direct: each node challenges an identity using its
             own limited knowledge
                 May not reach globally consistent decision
            Indirect: nodes collaborate
                 Effective since sensor nodes have limited
                 memory/knowledge!
                 Costly- communication overhead
   Random key Predistribution Approaches
       (modified to use as Sybil Defenses by authors)
            Key Pool
            Single-space pair-wise key distribution
            Multiple-space pair-wise key distribution

14-Jun-12        csci 599 - Sp'04 Presentation: Spyware & Sybil Attacks - Siddharth Thakkar   50
Key Pool - 1
   Core Scheme
       Set of keys assigned to a node:
       If two nodes share q common keys, they can establish a
        secret link.
       ith key from key pool goes to node depending on the
        one-way Pseudo Random hash Function.
             Attacker can’t just gather bunch of keys and claim an
              identity –PRF is one way!
   Validation
       Challenge the identity
       If a key Ki should be in Omega(ID’) but it isn’t in the
        compromised key set S, ID’ is cheating!



14-Jun-12         csci 599 - Sp'04 Presentation: Spyware & Sybil Attacks - Siddharth Thakkar   51
Key Pool - 2
   Time complexity -1
       Full validation case:
       Partial: challenged by d nodes



            = Pr(t=cardinality of intersection set of Omega(ID’) and
            S)
               x Pr(ID’ passes validation with all d verifiers |
            conditioned over t=cardinality of intersection set)

       Detailed mathematical steps in paper.




14-Jun-12          csci 599 - Sp'04 Presentation: Spyware & Sybil Attacks - Siddharth Thakkar   52
Key Pool - 3
   Time
    complexity –
    2
If Tolerance threshold
    = Pr(a random
    Sybil IS is usable)
    = 2-64

Attacker needs to
   compromise only
   30 nodes in partial
   validation!

150 if full validation!



14-Jun-12       csci 599 - Sp'04 Presentation: Spyware & Sybil Attacks - Siddharth Thakkar   53
Single Space Pairwise Key Distribution
   Scheme:
       Assign unique key to each pair
       Blom’s scheme & polynomial-based scheme
        (references)
            Node i stores unique public information Ui and
             private information Vi.
            Node i computes key from f(Vi,Uj) with node j.
            Lambda secure property:
                Secure against direct/indirect sybil attacks till Lambda
                 nodes are compromised (c <= Lambda)
            Validation
                A node validates an identity provided it has the
                 pairwise key between it and the verifier!
                    No consideration of OTHER nodes! 
                    Need globally consistent validation. 
14-Jun-12        csci 599 - Sp'04 Presentation: Spyware & Sybil Attacks - Siddharth Thakkar   54
Multi-space Pairwise Key Distribution-1
   Scheme
       Each sensor node is assigned k out of the m
        Key Spaces generated by the setup server.
       If 2 neighbors have >=1 keyspaces common,
            Compute pairwise secret key like Single space
             scheme! 
   Preventing Sybil Attacks
       Without Validation
            Direct communication sybil attacks
                Node needs to capture nodes such that at least 1 key-
                 space is compromised!
            Indirect communication sybil attacks: need more
             validation! (next slide)
14-Jun-12        csci 599 - Sp'04 Presentation: Spyware & Sybil Attacks - Siddharth Thakkar   55
Multi-space Pairwise Key Distribution-2
       With Validation
             Indirect validation: needed to challenge if an adversary claims to
              have key-spaces Ti.
                 For Globally consistent decision
             Full Validation:
                 Adversary has to compromise all k key-spaces!
       Probability calculation
             Si = event that space i is compromised
             m = all key spaces
             If S1 is compromised, it is less likely that so is S2!




14-Jun-12          csci 599 - Sp'04 Presentation: Spyware & Sybil Attacks - Siddharth Thakkar   56
Multi-space Pairwise Key Distribution-3
   Note:
       Different kind of
        probability on Y-
        axis
             Compared to
              Fig.3 before




14-Jun-12         csci 599 - Sp'04 Presentation: Spyware & Sybil Attacks - Siddharth Thakkar   57
Other Defenses
   Registration
       Trusted central authority managing the network could
        poll the network and compare to known deployment
             Sensor networks are unlike P2P – may have central control
        Registration list of known identities has to be secured!
   Position Verification
       Sybil nodes will appear to be exactly at the same
        location!
             Assuming sensor nodes are immobile, attack detected!
             For Mobile attacker: Need to verify ALL node’s position
              simultaneously!
   Code Attestation
             Validate node by verifying memory contents!
             Not yet applicable to wireless network
             Trusted hardware with security guarantees for this?
                Future
                Costly and high energy consumption! 

14-Jun-12         csci 599 - Sp'04 Presentation: Spyware & Sybil Attacks - Siddharth Thakkar   58
Sybil attacks on Sensor networks -
Summary
       Current defenses can’t fight every type of Sybil attack (Table
        before)
       Each defense has diff. cost and assumptions 
       Random key predistribution
             Sounds most promising seeing the difficulty of attack
             Basic Pool
                 Mapping node’s identity to the indices of its keys using 1-way function
             Single-space
                 Good as long as Lambda nodes are not captured!
                 Direct validation ensures global consistent validation
             Multi-space
                 Need Lambda instances of EACH key space to attack! 
                 Has to compromise at least k key spaces to succeed! 
       Paper presents a detailed analytical “first-take” on Sybil
        attacks on Sensor networks! (for P2P see next slides!)
             Area needs to explore lot more options!
             Way to AVOID creation of multiple identities?
                 Associate a node to an owner? Attacker can’t misuse existing node for
                  Sybil identities!
                 Who does this?


14-Jun-12          csci 599 - Sp'04 Presentation: Spyware & Sybil Attacks - Siddharth Thakkar   59
Appendix: Sybil attacks & P2P
   Systems and Attacks
       P2P systems are heterogenous WITH unlimited computing
        power!
             Attackers can cause Sybil identities and they need to to be
              validated concurrently and simultaneously!
       Infrastructure:
             Identities communicate via messages over a cloud through pipes!
             Intentional replication for duplication, reliability, etc. can be
              misused as multiple identities!
       Existing relied upon mechanisms
             Certification: Verisign
             CFS: identify node by hash of IP address
             SFS: append host path to a DNS name
             EMBASSY: bind machine to cryptographic keys in hardware!
                 Dependent mechanisms might get obsolete (IPv6 and CFS!)
       New ideas?
             Resource-demanding challenges to identities!
                 Not administrable on large distributed network! 

14-Jun-12          csci 599 - Sp'04 Presentation: Spyware & Sybil Attacks - Siddharth Thakkar   60
References
   Measurement and Analysis of Spyware in a University
    Environment
       Stefan Saroiu, Steen Gribble, Henry Levy
       Proceedings of the First Symposium on Networked Systems Design
        and Implementation (NSDI '04), March 2004
   The Sybil Attack in Sensor Networks: Analysis and Defense
       James Newsome, Elaine Shi, Dawn Song, Adrian Perrig
       Proceedings of 3rd International Symposium on Information
        Processing in Sensor Networks (IPSN ’04), April 2004
   The Sybil Attack
       John R. Douceur
       First International Workshop on Peer-to-Peer Systems, March 2002
   Leveraging the High performance computing Environment
       Michael Pierce, Jim Pepin
       HPC - High Performance Computing - Consortium Meeting, June 2003
   Parasite Programs: Adware, Spyware, and Stealth Networks
       CIAC Tech02-004-Technical Bulletin, Revised in November 2002
       http://www.ciac.org/ciac/techbull/CIACTech02-004.shtml



14-Jun-12        csci 599 - Sp'04 Presentation: Spyware & Sybil Attacks - Siddharth Thakkar   61

								
To top