Intruder Identification in Ad Hoc Networks

Document Sample
Intruder Identification in Ad Hoc Networks Powered By Docstoc
					Intruder Identification in Ad
       Hoc Networks
               Problem Statement
 • Intruder identification in ad hoc networks is the
   procedure of identifying the user or host that
   conducts the inappropriate, incorrect, or
   anomalous activities that threaten the
   connectivity or reliability of the networks and the
   authenticity of the data traffic in the networks.
Papers:
  “On Security Study of Two Distance Vector Routing
  Protocols for Mobile Ad Hoc Networks”, in Proceedings
  of IEEE International Conference on Pervasive
  Computing and Communications (PerCom), 2003.
  “On Vulnerability and Protection of Ad Hoc On-demand
  Distance Vector Protocol”, in Proceedings of 10th IEEE
  International Conference on Telecommunication (ICT),
  2003.
           Research Motivation
• More than ten routing protocols for Ad Hoc
  networks have been proposed (AODV, DSR,
  DSDV, TORA, ZRP, etc.)
• Research focus has been on performance
  comparison and optimizations such as
  multicast and multiple path detection
• Research is needed on the security of Ad
  Hoc networks.
• Applications: Battlefields, Disaster recovery.
          Research Motivation
• Two types of attacks target Ad Hoc
  network
  • External attacks:
     • MAC layer jamming
     • Traffic analysis
  • Internal attacks:
     • Compromised host sending false routing
       information
     • Fake authentication and authorization
     • Traffic flooding
          Research Motivation
• Protection of Ad Hoc networks
  • Intrusion Prevention
    • Traffic encryption
    • Sending data through multiple paths
    • Authentication and authorization
  • Intrusion Detection
    • Anomaly pattern examination
    • Protocol analytical study
          Research Motivation
• Deficiencies of intrusion prevention
  • Increases the overhead during normal
    operations of Ad Hoc networks
  • Restriction on power consumption and
    computation capability prevent the usage
    of complex encryption algorithms
  • Flat infrastructure increases the difficulty
    for the key management and distribution
  • Cannot guard against internal attacks
          Research Motivation
• Why intrusion detection itself is not
  enough
  • Detecting intrusion without removing the
    malicious host leaves the protection in a
    passive mode
  • Identifying the source of the attack may
    accelerate the detection of other attacks
          Research Motivation
• Research problem: Intruder
  Identification
• Research challenges:
  • How to locate the source of an attack ?
  • How to safely combine the information
    from multiple hosts and enable individual
    host to make decision by itself ?
  • How to achieve consistency among the
    conclusions of a group of hosts ?
      Related Work in wired Networks
• Secure routing / intrusion detection in
  wired networks
  • Routers have more bandwidth and CPU
    power
  • Steady network topology enables the use
    of static routing and default routers
  • Large storage and history of operations
    enable the system to collect enough
    information to extract traffic patterns
  • Easier to establish trust relation in the
    hierarchical infrastructure
        Related Work in wired networks
• Attack on RIP (Distance Vector)
  • False distance vector
• Solution (Bellovin 89)
  •   Static routing
  •   Listen to specific IP address
  •   Default router
  •   Cannot apply in Ad Hoc networks
         Related Work in wired networks

• Attack on OSPF (Link State)
  • False connectivity
  • Attack on Sequence Number
  • Attack on lifetime
• Solution
  • JiNAO:NCSU and MCNC
  • Encryption and digital signature
     Related Work in Ad Hoc Networks
• Lee at GaTech summarizes the difficulties
  in building IDS in Ad Hoc networks and
  raises questions:
  • what is a good architecture and response
    system?
  • what are the appropriated audit data sources?
  • what is the good model to separate normal and
    anomaly patterns?
• Haas at Cornell lists the 2 challenges in
  securing Ad Hoc networks:
  • secure routing
  • key management service
      Related Work in Ad Hoc Networks
• Agrawal at University of Cincinnati presents
  the general security schemes for the secure
  routing in Ad Hoc networks
• Nikander at Helsinki discusses the
  authentication, authorization, and accounting
  in Ad Hoc networks
• Bhargavan at UIUC presents the method to
  enhance security by dynamic virtual
  infrastructure
• Vaidya at UIUC presents the idea of securing
  Ad Hoc networks with directional antennas
        Related Work ongoing projects
• TIARA: Techniques for Intrusion Resistant Ad-Hoc
  Routing Algorithm (DARPA)
   • develop general design techniques
   • focus on DoS attack
   • sustain continued network operations
• Secure Communication for Ad Hoc Networking
  (NSF)
   • Two main principles:
      • redundancy in networking topology, route discovery and
        maintenance
      • distribution of trust, quorum for trust
        Related Work ongoing projects
• On Robust and Secure Mobile Ad Hoc and Sensor
  Network (NSF)
   • local route repair
   • performance analysis
   • malicious traffic profile extraction
   • distributed IDs
   • proposed a scalable routing protocol
• Adaptive Intrusion Detection System (NSF)
   • enable data mining approach
   • proactive intrusion detection
   • establish algorithms for auditing data
          Problem Statement

• Intruder identification in ad hoc
  networks is the procedure of identifying
  the user or host that conducts the
  inappropriate, incorrect, or anomalous
  activities that threaten the connectivity
  or reliability of the networks and the
  authenticity of the data traffic in the
  networks.
             Evaluation Criteria
• Accuracy
  • False coverage: Number of normal hosts that are
    incorrectly marked as suspected.
  • False exclusion: Number of malicious hosts that
    are not identified as such.
• Overhead
  • Overhead measures the increases in control
    packets and computation costs for identifying the
    attackers (e.g. verifying signed packets, updating
    blacklists).
  • Workload of identifying the malicious hosts in
    multiple rounds
             Evaluation Criteria
• Effectiveness
  – Effectiveness: Increase in the performance of ad
    hoc networks after the malicious hosts are
    identified and isolated. Metrics include the
    increase of the packet delivery ratio, the decrease
    of average delay, or the decrease of normalized
    protocol overhead (control packets/delivered
    packets).
• Robustness
  – Robustness of the algorithm: Its ability to resist
    different kinds of attacks.
                        Assumptions
A1. Every host can be uniquely identified and its ID cannot be
    changed throughout the lifetime of the ad hoc network. The ID
    is used in the identification procedure.
A2. A malicious host has total control on the time, the target and the
    mechanism of an attack. The malicious hosts continue
    attacking the network.
A3. Digital signature and verification keys of the hosts have been
    distributed to every host. The key distribution in ad hoc
    networks is a tough problem and deserves further research.
    Several solutions have been proposed. We assume that the
    distribution procedure is finished, so that all hosts can examine
    the genuineness of the signed packets.
A4. Every host has a local blacklist to record the hosts it suspects.
    The host has total control on adding and deleting elements
    from its list. For the clarity of the remainder of this paper, we
    call the real attacker as “malicious host”, while the hosts in
    blacklists are called “suspected hosts”.
 Applying Reverse Labeling Restriction to
             Protect AODV
• Introduction to AODV
• Attacks on AODV and their impacts
• Detecting False Destination Sequence
  Attack
• Reverse Labeling Restriction Protocol
• Simulation results
           Introduction to AODV

• Introduced in 97 by Perkins at NOKIA, Royer
  at UCSB
• 12 versions of IETF draft in 3 years, 4
  academic implementations, 2 simulations
• Combines on-demand and distance vector
• Broadcast Route Query, Unicast Route Reply
• Quick adaptation to dynamic link condition
  and scalability to large scale network
• Support Multicast
      Security Considerations for AODV

“AODV does not specify any special security measures.
  Route protocols, however, are prime targets for
  impersonation attacks. If there is danger of such attacks,
  AODV control messages must be protected by use of
  authentication techniques, such as those involving
  generation of unforgeable and cryptographically strong
  message digests or digital signatures.         ”
      - http://www.ietf.org/internet-drafts/draft-ietf-manet-aodv-11.txt
          Message Types in AODV

• RREQ: route request
• RREP: route reply
• RERR: route error
   Route Discovery in AODV

                          D


Establish Broadcast
          path to                  Establish path to
                              Unicast reply
the sourcerequest                  the destination
                 S1                     S3
          path to
Establish Broadcast                Establish path to
the sourcerequest             Unicast reply
                                   the destination
                 S2
                                   S4
Establish path to
        Broadcast              Establish path to
                          Unicast reply
the source
        request                the destination

                      S
      Introduction to AODV (con’d)
• Security Features of AODV
  • Combination of Broadcast and Unicast
    • Route reply is sent out along a single path,
      prevent the disclosure of routing information
  • Fast Expiration of Reverse Route Entry
    • Route entry created by un-replied route request
      will expire in a short time
  • Freshness of Routing Information
    • Unique, monotonic destination sequence for
      every host, could only be updated by
      destination/request initiator
                  Attacks on AODV

• Malicious route request
   – query non-existing host (RREQ will flood throughout the
     network)
• False route error
   – route broken message sent back to source (route discovery
     is re-initiated)
• False distance vector
   – reply “one hop to destination” to every request and select a
     large enough sequence number
• False destination sequence
   – select a large number (even beat the reply from real
     destination)
        Impacts of Attacks on AODV

                    Packet Delivery   Protocol
                    Ratio             Overhead
No Attacks                96%               38%

Silent Discard            91%              41%

False Distance            75%              38%

False Destination         53%              66%
Sequence
Vicious Flooding          91%             293%
False Destination Sequence Attack



                                            RREP(D, 5)
                               RREQ(D, 3)
                             S3RREP(D, 5)     D


  RREQ(D, 3)   RREQ(D, 3)
               RREP(D, 20)
   S                S1       RREQ(D, 3)
                             RREP(D, 20) RREP(D, 20)

                             S2        M
 Attacks on AODV and Simulation Results

• Simulation of Attacks
  • A module called “AODV Attack” added into
    ns2
  • Four attacks have been implemented
     •   malicious route request
     •   silently discard
     •   false distance vector
     •   false destination sequence
Attacks to AODV and Simulation Results

• Simulation parameters
  Simulator                             ns2
  Simulation duration              1000 seconds
  Simulation area                 1000 * 1000 m
  Number of mobile hosts                 30
  Transmission range         250 m (Lucent WaveLAN
                               Card Specification)
  Maximum speed                     5 -- 20 m/s
  Number of CBR connection               25
  Packet rate                        2 pkt / sec
  Simulated attacks           False distance vector and
                             false destination sequence
Attacks to AODV and Simulation Results




 X-axis is max moving speed, which evaluates the mobility of host.
 Y-axis is delivery ratio. Two attacks: false distance vector and
 false destination sequence, are considered. They lead to about
 30% and 50% of packets to be dropped.
 Detecting false destination sequence attack
 by destination host during route rediscovery


(1). S broadcasts a
request that carries the                   D    (2) D receives the RREQ.
old sequence + 1 = 21           S3              Local sequence is 5, but the
                                                sequence in RREQ is 21. D
                                                detects the false desti-
          RREQ(D, 21)
                                                nation sequence attack.
            S              S1


                                S2        M
            S4

                                     Propagation of RREQ
    Reverse Labeling Restriction (RLR)
• Basic Ideas
  • Every host maintains a blacklist to record suspicious
    hosts. Suspicious hosts can be released from the
    blacklist or put there permanently.
  • The destination host will broadcast an INVALID
    packet with its signature when it finds that the
    system is under attack on sequence. The packet
    carries the host’s identification, current sequence,
    new sequence, and its own blacklist.
  • Every host receiving this packet will examine its
    route entry to the destination host. If the sequence
    number is larger than the current sequence in
    INVALID packet, the presence of an attack is noted.
    The next hop to the destination will be added into
    this host’s blacklist.
     Reverse Labeling Restriction (RLR)

• All routing information or intruder identification
  packets from hosts in blacklist will be ignored, unless
  the information is about themselves.
• After a host is released from the blacklist, the routing
  information or identification results from it will be
  processed.
                    Example to illustrate RLR
                                           BL {}
                                      S3                 D   INVALID ( D, 5, 21,
                                                             {}, SIGN )


            S                 S1   BL {S2}
     BL {S1}

                                      S2           M BL {}
                                    BL {M}
            S4
            BL {}

D sends INVALID packet with current sequence = 5, new sequence = 21. S3
examines its route table, the entry to D is not false. S3 forward packet to S1. S1
finds that its route entry to D has sequence 20, which is > 5. It knows that the
route is false. The hop which provides this false route to S1 was S2. S2 will be put
into S1’s blacklist. S1 forward packet to S2 and S. S2 adds M into its blacklist. S
adds S1 into its blacklist. S forward packet to S4. S4 does not change its blacklist
since it is not involved in this route.
  Reverse Labeling Restriction (con’d)

• Update Blacklist by INVALID Packet
   • Next hop on the invalid route will be put into
     local blacklist, a timer starts, a counter ++
   • Labeling process will be done in the reverse
     direction of route
   • When timer expires, the suspicious host will be
     released from the blacklist and routing
     information from it will be accepted
   • If counter > threshold, the suspicious host will
     be permanently put into blacklist
RLR creates suspicion trees. If a host is the root of a
quorum of suspicion trees, it is labeled as the attacker.
   Reverse Labeling Restriction (con’d)

• Update local blacklist by other hosts’ blacklist
  • Attach local blacklist to INVALID packet
    with digital signature to prevent
    impersonation
  • Every host will count the hosts involved in
    different routes that say a specific host is
    suspicious. If the number > threshold, it will
    be permanently added into local blacklist
    and identified as an attacker.
  • Threshold can be dynamically changed or
    can be different on various hosts
   Reverse Labeling Restriction (con’d)

• Two other effects of INVALID packets
   • Establish routes to the destination host:
     when the host sends out INVALID packet
     with digital signature, every host receiving
     this packet can update its route to the
     destination host through the path it gets the
     INVALID packet.
   • Enable new sequence: When the
     destination sequence reaches its max
     number (0x7fffffff) and needs to round back
     to 0, the host sends an INVALID packet
     with current sequence = 0x7fffffff, new
     sequence = 0.
   Reverse Labeling Restriction (con’d)

• Packets from suspicious hosts
  • Route request: If the request is from suspicious
    hosts, ignore it.
  • Route reply: If the previous hop is suspicious and
    the query destination is not the previous hop, the
    reply will be ignored.
  • Route error: will be processed as usual. RERR will
    activate re-discovery, which will help to detect
    attacks on destination sequence.
  • INVALID: if the sender is suspicious, the packet
    will be processed but the blacklist will be ignored.
                  Simulation parameter

Simulation duration               1000 seconds
Simulation area                   1000 * 1000 m
Number of mobile hosts                 30
Transmission range                   250 m
Pause time between the host      0 – 60 seconds
reaches current target and
moves to next target
Maximum speed                         5 m/s
Number of CBR connection             25/50
Packet rate                        2 pkt / sec
   Reverse Labeling Restriction (con’d)
           Simulation results

The following metrics are chosen:
  • Delivery ratio (evaluate effectiveness of RLR)
  • Number of normal hosts that identify the attacker
    (evaluate accuracy of RLR)
  • Number of normal hosts that are marked as
    attacker by mistake (evaluate accuracy of RLR)
  • Normalized overhead (evaluate communication
    overhead of RLR)
  • Number of packets to be signed (evaluate
    computation overhead of RLR)
      Reverse Labeling Restriction (con’d)




X-axis is host pause time, which evaluates the mobility of host. Y-
axis is delivery ratio. 25 connections and 50 connections are
considered. RLR brings a 30% increase in delivery ratio. 100%
delivery is difficult to achieve due to network partition, route
discovery delay and buffer.
   Reverse Labeling Restriction (con’d)




X-axis is number of attackers. Y-axis is delivery ratio. 25
connections and 50 connections are considered. RLR brings a
20% to 30% increase in delivery ratio.
             Reverse Labeling Restriction (con’d)
                    30 hosts, 25 connections        30 hosts, 50 connections
Host Pause     # of normal      # of normal    # of normal      # of normal
time (sec)     hosts identify   hosts marked   hosts identify   hosts marked
               the attacker     as malicious   the attacker     as malicious
0                     24              0.22            29               2.2
10                    25                0             29               1.4
20                    24                0             25               1.1
30                    28                0             29               1.1
40                    24                0             29               0.6
50                    24              0.07            29               1.1
60                    24              0.07            24               1.0


               The accuracy of RLR when there is only one
                         attacker in the system
          Reverse Labeling Restriction (con’d)


                      30 hosts, 25 connections       30 hosts, 50 connections

# of attackers    # of normal      # of normal    # of normal      # of normal
                  hosts identify   hosts marked   hosts identify   hosts marked
                  all attackers    as malicious   all attackers    as malicious

1                       28               0              29              1.1
2                       28              0.65            28              2.6
3                       25               1              27              1.4
4                       21              0.62            25              2.2
5                       15              0.67            19              4.1


                 The accuracy of RLR when there are multiple
                                  attackers
    Reverse Labeling Restriction (con’d)




X-axis is host pause time, which evaluates the mobility of host.
Y-axis is normalized overhead (# of control packet / # of
delivered data packet). 25 connections and 50 connections
are considered. RLR increases the overhead slightly.
  Reverse Labeling Restriction (con’d)




X-axis is host pause time, which evaluates the mobility of
host. Y-axis is the number of signed packets processed by
every host. 25 connections and 50 connections are
considered. RLR does not severely increase the
computation overhead to mobile host.
 Reverse Labeling Restriction (con’d)




X-axis is number of attackers. Y-axis is number of signed
packets processed by every host. 25 connections and 50
connections are considered. RLR does not severely
increase the computation overhead of mobile host.
            Robustness of RLR


• If the malicious host sends false INVALID
  packet
  • Because the INVALID packets are signed, it
    cannot send the packets in other hosts’ name
  • If it sends INVALID in its own name, the
    reverse labeling procedure will converge on
    the malicious host and identify the attacker.
    The normal hosts will put it into their blacklists.
             Robustness of RLR


• If the malicious host frames other innocent
  hosts by sending false Blacklist
  • If the malicious host has been identified, the
    blacklist will be ignored
  • If the malicious host has not been identified, this
    operation can only lower the threshold by one. If
    the threshold is selected properly, it will not
    impact the identification results.
           Robustness of RLR


• If the malicious host only sends false
  destination sequence about some special
  host
  • The special host will detect the attack and
    send INVALID packets.
  • Other hosts can establish new routes to the
    destination by receiving the INVALID packets.
  Securing Ad Hoc networks -- Establish trust
           relationship in open area


• Evaluate known knowledge
   Known knowledge:
     • Interpretations of observations
     • Recommendations
   An algorithm that evaluates trust among hosts is
    being developed
   A host’s trustworthiness affects the trust toward
    the hosts on the route
• Predict of trustworthiness of a host
   Current approach uses the result of evaluation as
    prediction.
  Securing Ad Hoc networks -- Establish trust
           relationship in open area
• What trust information is needed when
  adding/ removing suspicious host from
  blacklist?
    The trust opinion of S1 towards an entity
     S2 in a certain context R
• What characteristics of trust need to be
  included in the model?
    Dependability: combination of competence,
     benevolence, and integrity
    Predictability
  Securing Ad Hoc networks -- Establish trust
           relationship in open area


What is the suitable representation of trust?
  • A random variable is used to represent trust
    so that the inherent uncertainty of deriving
    trust from behaviors can be accommodated.
How to represent the interpretation of an
 observation?
  • A trust distribution function
                 Further Work

• Design a set of formalized criteria to evaluate
  identification algorithms
• Study more features of Ad Hoc networks and
  exploit their vulnerability
• Simulate attacks on RLR, examine its
  robustness
• Integrate with research on trust
• Methods to identify the non-attackers and
  release them from blacklist
• Mechanisms to release hosts from the
  permanent blacklist
• More information may be found at
  http://raidlab.cs.purdue.edu
• Our papers and tech reports
  W. Wang, Y. Lu, B. Bhargava, On vulnerability and protection
     of AODV, CERIAS Tech Report TR-02-18.
  B. Bhargava, Y. Zhong, Authorization based on Evidence and
     Trust, in Proceedings of Data Warehouse and Knowledge
     Management Conference (DaWak), 2002
  Y. Lu, B. Bhargava and M. Hefeeda, An Architecture for Secure
     Wireless Networking, IEEE Workshop on Reliable and
     Secure Application in Mobile Environment, 2001
  W. Wang, Y. Lu, B. Bharagav, “On vulnerability and protection
     of AODV”, in proceedings of ICT 2003.
  W. Wang, Y. Lu, B. Bhargava, “On security study of two
     distance vector routing protocols for two mobile ad hoc
     networks”, in proceedings of PerCOm 2003.
                     Selected References
•   [1] C. Perkins and E. Royer, “Ad-hoc on-demand distance vector
    routing,” in Proceedings of the 2nd IEEE Workshop on Mobile
    Computing Systems and Applications, 1999.
•   [2] C. Perkins, “Highly dynamic destination-sequenced distancevector
    routing (DSDV) for mobile computers,” in Proceedings of SIGCOMM,
    1994.
•   [3] Z. Haas and M. Pearlman, “The zone routing protocol (ZRP) for ad
    hoc networks,” IETF Internet Draft, Version 4, July, 2002.
•   [4] T. Camp, J. Boleng, B. Williams, L. Wilcox, and W. Navidi,
    “Performance comparison of two location based routing protocols for ad
    hoc networks,” in Proceedings of the IEEE INFOCOM, 2002.
•   [5] Z. Haas, J. Halpern, and L. Li, “Gossip-based ad hoc routing,” in
    Proceedings of the IEEE INFOCOM, 2002.
•   [6] C. Perkins, E. Royer, and S. Das, “Performance comparison of two
    on-demand routing protocols for ad hoc networks,” in Proceedings of
    IEEE INFOCOM, 2000.
•   [7] S. Das and R. Sengupta, “Comparative performance evaluation of
    routing protocol for mobile, ad hoc networks,” in Proceedings of IEEE
    the Seventh International Conference on Computer Communications
    and Networks, 1998.
•   [8] L. Venkatraman and D. Agrawal, “Authentication in ad hoc
    networks,” in Proceedings of the 2nd IEEE Wireless Communications
    and Networking Conference, 2000.
                     Selected References
•   [9] Y. Zhang and W. Lee, “Intrusion detection in wireless ad-hoc
    networks,” in Proceedings of ACM MobiCom, 2000.
•   [10] Z. Zhou and Z. Haas, “Secure ad hoc networks,” IEEE Networks,
    vol. 13, no. 6, pp. 24–30, 1999.
•   [11] V. Bharghavan, “Secure wireless LANs,” in Proceedings of the
    ACM Conference on Computers and Communications Security, 1994.
•   [12] P. Sinha, R. Sivakumar, and V. Bharghavan, “Enhancing ad-hoc
    routing with dynamic virtual infrastructures.,” in Proceedings of IEEE
    INFOCOM, 2001.
•   [13] S. Bhargava and D. Agrawal, “Security enhancements in AODV
    protocol for wireless ad hoc networks,” in Proceedings of Vehicular
    Technology Conference, 2001.
•   [14] P. Papadimitratos and Z. Haas, “Secure routing for mobile ad hoc
    networks,” in Proceedings of SCS Communication Networks and
    Distributed Systems Modeling and Simulation Conference (CNDS),
    2002.
•   [15] P. Albers and O. Camp, “Security in ad hoc network: A general id
    architecture enhancing trust based approaches,” in Proceedings of
    International Conference on Enterprise Information Systems (ICEIS),
    2002.