12. Detecting Service Violations in Internet and Mobile Ad Hoc Networks Bharat Bhargava CERIAS Security Center CWSA Wireless Center Department of CS and ECE Purdue University bb@cs.purdue.edu Supported by NSF IIS 0209059, NSF IIS 0242840 , NSF CNS 0219110, CISCO, Motorola, IBM 1 Research Team • Faculty Collaborators – Dongyan Xu, Middleware and privacy – Mike Zoltowski, Smart antennas, wireless security – Sonia Fahmy, Internet security • Postdoc – – – – • Lezsek Lilien, Privacy and vulnerability Xiaoxin Wu, Wireless security Jun Wen, QoS Mamata Jenamani, Privacy Ph.D. students – – – – – Ahsan Habib, Internet Security Mohamed Hefeeda, Peer-to-Peer networking Yi Lu, Wireless security and congestion control Yuhui Zhong, Trust management and fraud Weichao Wang, Security in wireless networks More information at http://www.cs.purdue.edu/people/bb 2 Motivation • Lack of trust, privacy, security, and reliability impedes information sharing among distributed entities. • Research is required for the creation of knowledge and learning in secure networking, systems, and applications. 3 Goal • Enable the deployment of secure applications in the pervasive computing and communication environments. 4 Objective • A trustworthy, secure, and privacy preserving network platform must be established for trusted collaboration. The fundamental research problems include: – – – – – Trust management Privacy preserved collaborations Dealing with a variety of attacks in networks Intruder identification in ad hoc networks Trust-based privacy preservation for peer-to-peer data sharing 5 Applications/Broad Impacts • Guidelines for the design and deployment of security sensitive applications in the next generation networks – Data sharing for medical research and treatment – Collaboration among government agencies for homeland security – Transportation system (security check during travel, hazardous material disposal) – Collaboration among government officials, law enforcement and security personnel, and health care facilities during bio-terrorism and other emergencies 6 Scientific Contributions A. Trust formalization B. Privacy-preserving Collaborations Privacy preservation in interactions C. Detecting Service Violations in Internet Network tomography techniques for DoS attacks D. Intruder Identification in Ad Hoc Networks Intrusion detection and intruder identification E. Trust-based Privacy Preservation for Peer-to-Peer Data Sharing 7 8 A. Trust Formalization • Problem – Dynamically establish and update trust among entities in an open environment. • Research directions – Handling uncertain evidence – Modeling dynamic trust – Formalization and detection of fraud • Challenges – Uncertain information complicates the inference procedure. – Subjectivity leads to various interpretations toward the same information. – The multi-faceted and context-dependent characteristics of trust require tradeoff between representation comprehensiveness and computation simplicity of the trust model. 9 Trust Info and Metrics • Trust based on – Evidence – Credential – Interactions – Fraud potential – Privacy requirement • Measure of trust 10 Uncertain Evidence • Probability-based approach to evaluate the uncertainty of a logic expression given a set of uncertain evidence – Atomic formula: Bayes network + causal inference + conditional probability interpretation of opinion – AND/OR expressions: rule defined by Jsang [Jsang'01] – Subjectivity is realized using discounting operator proposed by Shafer [Shafer'76] 11 Dynamic Trust • Trust production based on direct interaction – Identify behavior patterns and their characteristic features – Determine which pattern is the best match of an interaction sequence – Develop personalized trust production algorithms considering behavior patterns • Reputation aggregation – Global reputation vs. personalized reputation – Personalized reputation aggregation • Determine the subset of trust information useful for a specific trustor by using collaborative filters • Translate trust information into the scale of a specific trustor 12 Trust Enhanced Role Assignment (TERA) Prototype • Trust enhanced role mapping (TERM) server assigns roles to users based on – Uncertain & subjective evidence – Dynamic trust • Reputation server – Dynamic trust information repository – Evaluate reputation from trust information by using algorithms specified by TERM server Prototype and demo are available at http://www.cs.purdue.edu/homes/bb/NSFtrust/ 13 TERA Architecture RBAC enhanced application server Interactions User's behavior Assigned role Trust based on behaviors Role request Alice Reputation TERM server Trust based on behaviors Reputation server Assigned role Bob Role request Reputation TERM server Interactions TERA User's behavior RBAC enhanced application server 14 Trust Enhanced Role Mapping (TERM) Server • Evidence rewriting • Role assignment – Policy parser – Request processor & inference engine – Constraint enforcement • Policy base • Trust information management – User behavior modeling – Trust production 15 TERM Server Reputation server Trust information Application server Behaviors Reputation Trust Information Management Trust toward issuer Trust toward user/issuer Evidence Rewriting Assign role Role Assignment user Request role Evidence statement Evidence statement Role-assignment Policy Policy Base TERM Credential Manager Role-assignment policies Credentials provided / retrieved Policy maker 16 Fraud Formalization and Detection • Model fraud intention – Uncovered deceiving intention – Trapping intention – Illusive intention • Fraud detection – Profile-based anomaly detection • Monitor suspicious actions based upon the established patterns of an entity – State transition analysis • Build an automaton to identify activities that lead towards a fraudulent state 17 Model Fraud Intentions • Uncovered deceiving intention – Satisfaction ratings are stably low. – Ratings vary in a small range over time. 18 Model Fraud Intentions • Trapping intention – Rating sequence can be divided into two phases: preparing and trapping. – A swindler behaves well to achieve a trustworthy image before he conducts frauds. 19 Model Fraud Intentions • Illusive intention – A smart swindler attempts to cover the bad effects by intentionally doing something good after misbehaviors. – Process of preparing and trapping is repeated. 20 21 B. Privacy-Preserving Collaborations • Problem – Preserve privacy, gain trust, and control dissemination of data • Privacy based on – Approximate location – Approximate version of information – Any cast • Determine the degree of data privacy – Size of anonymity set metrics – Entropy-based metrics • Tradeoff between privacy and trust 22 23 C. Detecting Service Violations in Internet • Problem statement Detecting service violation in networks is the procedure of identifying the misbehaviors of users or operations that do not adhere to network protocols. 24 Topology Used (Internet) Victim, V A3 uses reflector H3 to attack V H5 A1 spoofs H5’s address to attack V 25 Detecting DoS Attacks in Internet *SPIE: Source Path Isolation Engine 26 • Research Directions – Observe misbehavior flows through service level agreement (SLA) violation detection – Core-based loss – Stripe based probing – Overlay based monitoring 27 Approach • Develop low overhead and scalable monitoring techniques to detect service violations, bandwidth theft, and attacks. The monitor alerts against possible DoS attacks in early stage • Policy enforcement and controlling the suspected flows are needed to maintain confidence in the security and QoS of networks 28 Methods • Network tomography – Stripe based probing is used to infer individual link loss from edge-to-edge measurements – Overlay network is used to identify congested links by measuring loss of edge-to-edge paths • Transport layer flow characteristics are used to protect critical packets of a flow • Edge-to-edge mechanism is used to detect and control unresponsive flows 29 Monitoring Network Domains • Idea: – Excessive traffic changes internal characteristics inside a domain (high delay & loss, low throughput) – Monitor network domain for unusual patterns – If traffic is aggregating towards a domain (same IP prefix), probably an attack is coming • Measure delay, link loss, and throughput achieved by user inside a network domain Monitoring by periodic polling or deploying agents in high speed core routers put non-trivial overhead on them 30 Core-assisted loss measurements • Core reports to the monitor whenever packet drop exceeds a local threshold • Monitor computes the total drop for time interval t • If the total drop exceeds a global threshold a. The monitor sends a query to all edge routers requesting their current rates b. The monitor computes total incoming rate from all edge c. The monitor computes the loss ratio as the ratio of the dropped packets and the total incoming rate d. If the loss ratio exceeds the SLA loss ratio, a possible SLA violation is reported 31 Stripe Unicast Probing [Duffield et al., INFOCOM ’01] • Back-to-back packets experience similar congestion in a queue with a high probability • Receiver observes the probes to correlate them for loss inference • Infer internal characteristics using topology • For general tree? Send stripe from root to every order-pair of leaves • Develop stripe-based monitoring by extending loss inference for multiple drop precedence 32 Inferring Loss • Calculate how many packets are received by the two receivers. Transmission probability Ak ZR1 ZR2 Ak = ZR1 U R2 where Zi binary variable which takes 1 when all packets reached their destination and 0 otherwise • Loss is 1 - Ak • For general tree, send stripe from root to every order-pair of leaves. Overlay-based Monitoring • Problem statement – • Given topology of a network domain, identify which links are congested Solutions: Simple and Advanced methods 1. Monitor the network for link delay 2. If delayi > Thresholdidelay for path i, then probe the network for loss 3. If lossj > Thresholdjloss for any link j, then probe the network for throughput 4. If BWk > ThresholdkBW, flow k is violating service agreements by taking excess resources. Upon detection, we control the flows. 34 Probing: Simple Method Congested link (a) Topology (b) Overlay (c) internal links • Each peer probes both of its neighbors • Detect congested link in both directions 35 An Example • Perform one round peer-to-peer probing in counter-clockwise direction • Each boolean variable Xij represents the congestion status of link i j • For each probe P, we have an equation Pi,j = Xi,k+ … + Xl,j 36 Experiments: Evaluation methodology • Simulation using ns-2 • Two topologies – C-C links, 20 Mbps – E-C links, 10 Mbps • Parameters – Number of flows order of thousands – Change life time of flows – Simulate attacks by varying traffic intensities and injecting traffic from multiple entry points • Output Parameters – delay, loss ratio, throughput Congested link Topology 1 37 Loss Ratio Loss Ratio Identified Congested Links Time (sec) (a) Counter clockwise probing Time (sec) (b) Clockwise probing Probe46 in graph (a) and Probe76 in graph (b) observe high losses, which means link C4 E6 is congested. 38 False Positive (theoretical analysis) • The simple method does not correctly label all links • The unsolved “good” links are considered bad hence false positive happens 39 • Need to refine the solution Advanced Method • Example: if 100 links in the network and 20 of them are congested and 80 are “good”. The basic probing method can identify 15 congestion links and 70 good links. The other 15 are labeled as “unknown”. If all unknown links are treated as congested, 10 good link will be falsely labeled as congested. When the false positive is too high, the available paths that can be chosen by the routers are restricted, thus network performance is impacted. 40 Analyzing Simple Method • Lemma 1. If P and P’ are probe paths in the first and the second round of probing respectively, |P P’ | ≤ 1 • Theorem 1. If only one probe path P is shown to be congested in any round of probing, the simple method successfully identifies status of each link in P • Performs better if edge-to-edge paths are congested • The average length of the probe paths in the Simple method is ≤ 4 41 Theorem 2. Let p be the probability of a link being congested in any arbitrary overlay network. The simple method determines the status of any link of the topology with probability at least 2(1p)4-(1-p)7+p(1-p)12 Detection Probability Performance: Simple Method Frac of actual congested links 42 Advanced Method AdvancedMethod() begin Conduct Simple Method. E is the unsolved equation set for Each undecided variable Xij of E do node1 = FindNode(Tree T, vi, IN) node2 = FindNode(Tree T, vj , OUT) if node1 ≠ NULL AND node2 ≠ NULL then Probe(node1, node2). Update equation set E end if Stop if no more probe exists endfor end 43 Loss Ratio Identifying Links: Advanced Method Time (sec) Link E2 C2, C1 C3, C3 C4, and C4 E6 are congested. Simple method identifies all except E2 C2. Advanced method finds probe 44 E5E1 to identify status of E2 C2. Analyzing Advanced Method • Lemma 2. For an arbitrary overlay network with n n(3n 2) edge routers, on the average a link lies on b = 8 log n edge-to-edge paths • Lemma 3. For an arbitrary overlay network with n edge routers, the average length of all edge-to3n edge paths is d = 2 log n • Theorem 3. Let p be the probability of a link being congested. The advanced method can detect the status of a link with probability at least (1(1-(1-p)d)b) 45 • Graph shows lower and upper bounds • When congestion is ≤ 20%, links are identified with O(n) probes with probability ≥ 0.98 • Does not help if ≥ 60% links are congested Detection Probability Bounds on Advanced Method Frac of actual congested links Advanced method uses output of simple method and topology to find a probe that can be used to identify status of an unsolved link in simple method 46 % of traffic Experiments: Delay Measurements Delay (ms) Cumulative distribution function (cdf) • Attack changes delay pattern in a network domain • We need to know the delay pattern when there is not attack 47 Loss Ratio Loss Ratio Experiments: Loss measurements Time (sec) (a) Core-assisted Time (sec) (b) Stripe-based Core-based measurement is more precise than stripe-based, however, it has high overhead 48 Loss Ratio Delay (ms) Attack Scenarios Time (sec) Time (sec) (a) Changing delay pattern due to attack (b) Changing loss pattern due to attack • Attack 1 violates SLA and causes 15-30% of packet loss • Attack 2 causes more than 35% of packet loss 49 Detecting DoS Attacks • If many flows aggregate towards a downstream domain, it might be a DoS attack on the domain • Analyze flows at exit routers of the congested links to identify misbehaving flows • Activate filters to control the suspected flows • Flow association with ingress routers – Egress routers can backtrack paths, and confirm entry points of suspected flows 50 Processing overhead (CPU cycle) Communication overhead in KB Overhead comparison Percentage of misbehaving flow Percentage of misbehaving flow (a) Processing overhead (b) Communication overhead • Core has relative low processing overhead • Overlay scheme has an edge over other two schemes 51 Observations • Stripe-based Monitoring – Stripe-based probing can monitor DiffServ networks only from the edges – It takes 10 sec to converge the inferred loss ratio to actual loss ratio with ≥ 90% accuracy – 10-15 delay probes and 20-25 loss probes per second are sufficient for monitoring – Probe is a 3-packet stripe • 3 shows good correlation, 4 does not add much 52 Observations (Cont’d) • Overlay-based Monitoring – Congestion status of individual links can be inferred from edge-to-edge measurements – When the network is ≤ 20% congested • Status of a link is identified with probability ≥ 0.98 • Requires O(n) probes, where n is the number of edge routers – Worst case is O(n2), whereas stripe-based requires O(n3) probes to achieve same functionality 53 Observations (Cont’d) • Analyze existing techniques to defeat DoS attacks – Marking has less overhead than Filtering, however, it is only a forensic method – Monitoring might have less processing overhead than marking or filtering, however, monitoring injects packets and others do not – Monitoring can alert against DoS attacks in early stage 54 Observations (Cont’d) • Traffic Conditioner – Using small state table, we can design scalable traffic conditioner – It can protect critical packets of a flow to improve application QoS (delay, throughput, response time, …) – Both Round trip time (RTT) & Retransmission time-out (RTO) are necessary to avoid RTTbias among flows 55 Observations (Cont’d) • Flow Control – Network tomography is used to design edgeto-edge mechanism to detect & control unresponsive flows – QoS of adaptive flows improves significantly with flow control mechanism 56 Conclusion on Monitoring • Elegant way to use probability in inferring loss. 3packets stripe shows good correlation • Monitoring network can detect service violation and bandwidth theft using measurements • Monitoring can detect DoS attacks in early stage. Filter can be used to stop the attacks • Overlay-based monitoring requires only O(n) probing with a very high probability, where n is the number of edge routers • Overlay-based monitoring has very low communication and processing overhead • Stripe-based inference is useful to annotate a topology tree with loss, delay, and bandwidth. 57 58 D. Intruder Identification in Ad Hoc Networks • Problem Statement Intruder identification in ad hoc networks is the procedure of identifying the user or host that conducts the inappropriate, incorrect, or anomalous activities that threaten the connectivity or reliability of the networks and the authenticity of the data traffic in the networks Papers: “On Security Study of Two Distance Vector Routing Protocols for Mobile Ad Hoc Networks”, in Proceedings of IEEE International Conference on Pervasive Computing and Communications (PerCom), 2003. “On Vulnerability and Protection of Ad Hoc On-demand Distance Vector Protocol”, in Proceedings of 10th IEEE International Conference on 59 Telecommunication (ICT), 2003. Research Motivation • More than ten routing protocols for Ad Hoc networks have been proposed – Incl. AODV, DSR, DSDV, TORA, ZRP • Research focuses on performance comparison and optimizations such as multicast and multiple path detection • Research is needed on the security of Ad Hoc networks. • Applications: Battlefields, disaster recovery. 60 Research Motivation • Two kinds of attacks target Ad Hoc network – External attacks: • MAC Layer jam • Traffic analysis – Internal attacks: • Compromised host sending false routing information • Fake authentication and authorization • Traffic flooding 61 Research Motivation • Protection of Ad Hoc networks – Intrusion Prevention • Traffic encryption • Sending data through multiple paths • Authentication and authorization – Intrusion Detection • Anomaly pattern examination • Protocol analysis study 62 Research Motivation • Deficiency of intrusion prevention – increase the overhead during normal operation period of Ad Hoc networks – The restriction on power consumption and computation capability prevent the usage of complex encryption algorithms – Flat infrastructure increases the difficulty for the key management and distribution – Cannot guard against internal attacks 63 Research Motivation • Why intrusion detection itself is not enough – Detecting intrusion without isolating the malicious host leaves the protection in a passive mode – Identifying the source of the attack may accelerate the detection of other attacks 64 Research Motivation • Research problem: Intruder Identification • Research challenges: • How to locate the source of an attack ? • How to safely combine the information from multiple hosts and enable individual host to make decision by itself ? • How to achieve consistency among the conclusions of a group of hosts ? 65 • Related Work – Vulnerability model of ad hoc routing protocols [Yang et al., SASN ’03] – A generic multi layer integrated IDS structure [Zhang and Lee, MobiCom ’00] – IDS combining with trust [Albert et al., ICEIS ’02] – Information theoretic measures using entropy [Okazaki et al., SAINT ’02] – SAODV adopts both hash chain and digital signature to protect routing information [Zapata et al, WiSe’03] – Security-aware ad hoc routing [Kravets et al, MobiHOC’01] 66 Related Work in wired Networks • Secure routing / intrusion detection in wired networks • Routers have more bandwidth and CPU power • Steady network topology enables the use of static routing and default routers • Large storage and history of operations enable the system to collect enough information to extract traffic patterns • Easier to establish trust relation in the hierarchical infrastructure 67 Related Work in wired networks • Attack on RIP (Distance Vector) • False distance vector • Solution (Bellovin 89) • • • • Static routing Listen to specific IP address Default router Cannot apply in Ad Hoc networks 68 Related Work in wired networks • Attack on OSPF (Link State) • False connectivity • Attack on Sequence Number • Attack on lifetime • Solution • JiNAO:NCSU and MCNC • Encryption and digital signature 69 Related Work in Ad Hoc Networks • Lee at GaTech summarizes the difficulties in building IDS in Ad Hoc networks and raises questions: • what is a good architecture and response system? • what are the appropriated audit data sources? • what is the good model to separate normal and anomaly patterns? • Haas at Cornell lists the 2 challenges in securing Ad Hoc networks: • secure routing • key management service 70 Related Work in Ad Hoc Networks • Agrawal at University of Cincinnati presents the general security schemes for the secure routing in Ad Hoc networks • Nikander at Helsinki discusses the authentication, authorization, and accounting in Ad Hoc networks • Bhargavan at UIUC presents the method to enhance security by dynamic virtual infrastructure • Vaidya at UIUC presents the idea of securing Ad Hoc networks with directional antennas 71 Related Work ongoing projects • TIARA: Techniques for Intrusion Resistant Ad-Hoc Routing Algorithm (DARPA) • develop general design techniques • focus on DoS attack • sustain continued network operations • Secure Communication for Ad Hoc Networking (NSF) • Two main principles: • redundancy in networking topology, route discovery and maintenance • distribution of trust, quorum for trust 72 Related Work ongoing projects • On Robust and Secure Mobile Ad Hoc and Sensor Network (NSF) • local route repair • performance analysis • malicious traffic profile extraction • distributed IDs • proposed a scalable routing protocol • Adaptive Intrusion Detection System (NSF) • enable data mining approach • proactive intrusion detection • establish algorithms for auditing data 73 Evaluation Criteria • Accuracy • False coverage: Number of normal hosts that are incorrectly marked as suspected. • False exclusion: Number of malicious hosts that are not identified as such. • Overhead • Overhead measures the increases in control packets and computation costs for identifying the attackers (e.g. verifying signed packets, updating blacklists). • Workload of identifying the malicious hosts in multiple rounds 74 Evaluation Criteria - cont. • Effectiveness – Effectiveness: Increase in the performance of ad hoc networks after the malicious hosts are identified and isolated. Metrics include the increase of the packet delivery ratio, the decrease of average delay, or the decrease of normalized protocol overhead (control packets/delivered packets). • Robustness – Robustness of the algorithm: Its ability to resist different kinds of attacks. 75 Assumptions A1. Every host can be uniquely identified and its ID cannot be changed throughout the lifetime of the ad hoc network. The ID is used in the identification procedure. A2. A malicious host has total control on the time, the target and the mechanism of an attack. The malicious hosts continue attacking the network. A3. Digital signature and verification keys of the hosts have been distributed to every host. The key distribution in ad hoc networks is a tough problem and deserves further research. Several solutions have been proposed. We assume that the distribution procedure is finished, so that all hosts can examine the genuineness of the signed packets. A4. Every host has a local blacklist to record the hosts it suspects. The host has total control on adding and deleting elements from its list. For the clarity of the remainder of this paper, we call the real attacker as “malicious host”, while the hosts in blacklists are called “suspected hosts”. 76 Applying Reverse Labeling Restriction to Protect AODV • Introduction to AODV • Attacks on AODV and their impacts • Detecting False Destination Sequence Attack • Reverse Labeling Restriction Protocol • Simulation results 77 Introduction to AODV • Introduced in 97 by Perkins at NOKIA, Royer at UCSB • 12 versions of IETF draft in 4 years, 4 academic implementations, 2 simulations • Combines on-demand and distance vector • Broadcast Route Query, Unicast Route Reply • Quick adaptation to dynamic link condition and scalability to large scale network • Support multicast 78 Ideas • Monitor the sequence numbers in the route request packets to detect abnormal conditions • Apply reverse labeling restriction to identify and isolate attackers • Combine local decisions with knowledge from other hosts to achieve consistent conclusions • Combine with trust assessment methods to improve robustness 79 Security Considerations for AODV “AODV does not specify any special security measures. Route protocols, however, are prime targets for impersonation attacks. If there is danger of such attacks, AODV control messages must be protected by use of authentication techniques, such as those involving generation of unforgeable and cryptographically strong message digests or digital signatures. ” - http://www.ietf.org/internet-drafts/draft-ietf-manet-aodv-11.txt 80 Message Types in AODV • RREQ: route request • RREP: route reply • RERR: route error 81 Route Discovery in AODV (An Example) D S1 S3 S2 S4 S Route to the source Route to the destination 82 Attacks on routing in mobile ad hoc networks Attacks on routing Active attacks Routing procedure False reply Wormhole attacks Passive attacks Flood network Route request Packet silent discard Routing information hiding Route broken message 83 Attacks on AODV • Route request flooding – query non-existing host (RREQ will flood throughout the network) • False distance vector – reply “one hop to destination” to every request and select a large enough sequence number • False destination sequence number – select a large number (even beat the reply from the real destination) • Wormhole attacks – tunnel route request through wormhole and attract the data traffic to the wormhole • Coordinated attacks – The malicious hosts establish trust to frame other hosts, or conduct attacks alternatively to avoid being identified 84 Impacts of Attacks on AODV We simulate the attacks and measure their impacts on packet delivery ratios and protocol overhead No Attacks Packet Delivery Ratio 96% Control packet / data packet 0.38 Vicious Flooding 91% 2.93 False Distance 75% 0.38 False Destination Sequence 53% 0.66 Wormhole 61% 0.41 85 False Destination Sequence Attack Sequence number 5 S3 RREQ(D, 3) S RREP(D, 4) RREQ(D, 3) S4 D RREQ(D, 3) S1 RREQ(D, 3) RREP(D, 20) S2 M Packets from S to D are sinking at M. 86 During Route Rediscovery, False Destination Sequence Number Attack Is Detected, S needs to find D again. Node movement breaks the path from S to M (trigger route rediscovery). (1). S broadcasts a request that carries the old sequence + 1 = 21 D S3 RREQ(D, 21) S S1 S2 (2) D receives the RREQ. Local sequence is 5, but the sequence in RREQ is 21. D detects the false destination sequence number attack. M S4 Propagation of RREQ 87 Reverse Labeling Restriction (RLR) Blacklists are updated after an attack is detected. • Basic Ideas • Every host maintains a blacklist to record suspicious hosts who gave wrong route related information. • The destination host will broadcast an INVALID packet with its signature. The packet carries the host’s identification, current sequence, new sequence, and its own blacklist. • Every host receiving this packet will examine its route entry to the destination host. The previous host that provides the false route will be added into this host’s blacklist. 88 BL {} S3 D BL {} INVALID ( D, 5, 21, BL{}, Signature ) S4 S S1 BL {S2} BL {S1} M S2 BL {} BL {M} S4 BL {} Correct destination sequence number is broadcasted. Blacklist at each host in the path is determined. 89 D1 S4 [M] D3 [M] S1 D2 M [M] S3 D4 [M] S2 M attacks 4 routes (S1-D1, S2-D2, S3-D3, and S4-D4). When the first two false routes are detected, D3 and D4 add M into their blacklists. When later D3 and D4 become victim destinations, they will broadcast their blacklists, and every host will get two votes that M is malicious host. Malicious site is in blacklists of multiple destination hosts. 90 Combine Local Decisions with Knowledge from Other Hosts • When a host is destination of a route and is victim by any malicious host, it will broadcast its blacklist. • Each host obtains blacklists from victim hosts. • If M is in multiple blacklists, M is classified as a malicious host based on certain threshold. • Intruder is identified. • Trust values can be assigned to other hosts based on past information. 91 Acceleration in Intruder Identification D3 D2 D1 M2 M3 M1 S1 S2 S3 Coordinated attacks by M1, M2, and M3 Multiple attackers trigger more blacklists to be broadcasted by D1, D2, D3. 92 Reverse Labeling Restriction (RLR) • Update Blacklist by Broadcasted Packets from Destinations under Attack • Next hop on the false route will be put into local blacklist, and a counter increases. The time duration that the host stays in blacklist increases exponentially to the counter value. • When timer expires, the suspicious host will be released from the blacklist and routing information from it will be accepted. 93 Deal With Hosts in Blacklist • Packets from hosts in blacklist • Route request: If the request is from suspicious hosts, ignore it. • Route reply: If the previous hop is suspicious and the query destination is not the previous hop, the reply will be ignored. • Route error: Will be processed as usual. RERR will activate re-discovery, which will help to detect attacks on destination sequence. • Broadcast of INVALID packet: If the sender is suspicious, the packet will be processed but the blacklist will be ignored. 94 Attacks of Malicious Hosts on RLR • Attack 1: Malicious host M sends false INVALID packet • Because the INVALID packets are signed, it cannot send the packets in other hosts’ name • If M sends INVALID in its own name • If the reported sequence number is greater than the real sequence number, every host ignores this attack • If the reported sequence number is less than the real sequence number, RLR will converge at the malicious host. M is included in blacklist of more hosts. M accelerated the intruder identification directing towards M. 95 • Attack 2: Malicious host M frames other innocent hosts by sending false blacklist • If the malicious host has been identified, the blacklist will be ignored • If the malicious host has not been identified, this operation can only make the threshold lower. If the threshold is selected properly, it will not impact the identification results. • Combining trust can further limit the impact of this attack. 96 • Attack 3: Malicious host M only sends false destination sequence about some special host • The special host will detect the attack and send INVALID packets. • Other hosts can establish new routes to the destination by receiving the INVALID packets. 97 Experimental Studies of RLR • The experiments are conducted using ns2. • Various network scenarios are formed by varying the number of independent attackers, number of connections, and host mobility. • The examined parameters include: – Packet delivery ratio – Identification accuracy: false positive and false negative ratio – Communication and computation overhead 98 Simulation Parameter Simulation duration 1000 seconds Simulation area 1000 * 1000 m Number of mobile hosts Transmission range Pause time between the host reaches current target and moves to next target 30 250 m 0 – 60 seconds Maximum speed 5 m/s Number of CBR connection 25/50 Packet rate 2 pkt / sec 99 Experiment 1: Measure the Changes in Packet Delivery Ratio Purpose: investigate the impacts of host mobility, number of attackers, and number of connections on the performance improvement brought by RLR Input parameters: host pause time, number of independent attackers, number of connections Output parameters: packet delivery ratio Observation: When only one attacker exists in the network, RLR brings a 30% increase in the packet delivery ratio. When multiple attacker exist in the system, the delivery ratio will not recover before all attackers are identified. 100 Increase in Packet Delivery Ratio: Single Attacker X-axis is host pause time, which evaluates the mobility of host. Y-axis is delivery ratio. 25 connections and 50 connections are considered. RLR brings a 30% increase in delivery ratio. 100% delivery is difficult to achieve due to network partition, route discovery delay and buffer. 101 Increase in Packet Delivery Ratio: Multiple Attackers X-axis is number of attackers. Y-axis is delivery ratio. 25 connections and 50 connections are considered. RLR brings a 20% to 30% increase in delivery ratio. 102 Experiment 2: Measure the Accuracy of Intruder Identification Purpose: investigate the impacts of host mobility, number of attackers ,and connection scenarios on the detection accuracy of RLR Input parameters: number of independent attackers, number of connections, host pause time Output parameters: false positive alarm ratio, false negative alarm ratio Observation: The increase in connections may improve the detection accuracy of RLR. When multiple attackers exist in the network, RLR has a high false positive ratio. 103 Accuracy of RLR: Single Attacker 30 hosts, 25 connections Host Pause time (sec) # of normal hosts identify the attacker # of normal hosts marked as malicious 30 hosts, 50 connections # of normal hosts identify the attacker # of normal hosts marked as malicious 0 24 0.22 29 2.2 10 25 0 29 1.4 20 24 0 25 1.1 30 28 0 29 1.1 40 24 0 29 0.6 50 24 0.07 29 1.1 60 24 0.07 24 1.0 The accuracy of RLR when there is only one attacker in the system 104 Accuracy of RLR: Multiple Attackers 30 hosts, 25 connections # of attackers # of normal hosts identify all attackers # of normal hosts marked as malicious 30 hosts, 50 connections # of normal hosts identify all attackers # of normal hosts marked as malicious 1 28 0 29 1.1 2 28 0.65 28 2.6 3 25 1 27 1.4 4 21 0.62 25 2.2 5 15 0.67 19 4.1 The accuracy of RLR when there are multiple attackers 105 Experiment 3: Measure the Communication Overhead Purpose: investigate the impacts of host mobility and connection scenarios on the overhead of RLR Input parameters: number of connections, host pause time Output parameters: control packet overhead Observation: When no false destination sequence attacks exist in the network, RLR introduces small packet overhead into the system. 106 Control Packet Overhead X-axis is host pause time, which evaluates the mobility of host. Y-axis is normalized overhead (# of control packet / # of delivered data packet). 25 connections and 50 connections are considered. RLR increases the overhead slightly. 107 Research Opportunities: Improve Robustness of RLR • Protect the good hosts from being framed by malicious hosts • The malicious hosts can frame the good hosts by putting them into blacklist. • By lowering the trust values of both complainer and complainee, we can restrict the impacts of the gossip distributed by the attackers. 108 • Avoid putting every host into blacklist • Combining the host density and movement model, we can estimate the time ratio that two hosts are neighbors • The counter for a suspicious host decreases as time passes • Adjusting the decreasing ratio to control the average percentage of time that a host stays in the blacklist of another host 109 • Defend against coordinated attacks • The behaviors of collusive attackers show Byzantine manners. The malicious hosts may establish trust to frame other hosts, or conduct attacks alternatively to avoid being identified. • Look for the effective methods to defend against such attacks. Possible research directions include: • Apply classification methods to detect the hosts that have similar behavior patterns • Study the behavior histories of the hosts that belong to the same group and detect the pattern of malicious behavior (time-based, order-based) 110 An Architecture of Intruder Identification Agent 111 • Intruder identification can be applied to detect more attacks in ad hoc networks: – DoS attacks – Malicious discard – Trust abuse and privacy violation • Reverse labeling mechanism can be applied to identify the attackers that – Disseminate false routing information – Discard data packets – Generate gossip to destroy other hosts’ reputation 112 Conclusions on Intruder Identification • False destination sequence attacks can be detected by the anomaly patterns of the sequence numbers • Reverse labeling method can reconstruct the false routing tree • Isolating the attackers brings a sharp increase in network performance • On going research will improve the robustness of the mechanism and the accuracy of identification 113 Related Ongoing Research 1) Detecting wormhole attacks 2) Position-based private routing in ad hoc networks 3) Fault tolerant authentication in movable base station systems 4) Congestion avoidance routing in ad hoc networks 114 1) Detecting Wormhole Attacks • Problem statement The malicious nodes can eavesdrop the packets, tunnel them to another location in the network, and retransmit them. This generates a false scenario that the original sender is in the neighborhood of the remote location. wireless node 1 wireless node 2 tunnel attacker 1 attacker 2 115 • Research challenges – Detect wormholes when the malicious host can be the legal member of the network – Control the overhead introduced by wormhole detection to avoid the hosts being overwhelmed 116 Classification of Wormholes • the wormholes are divided into 3 groups: – Closed – Half open – Open 117 The Approach: End-to-End Mechanism • Assumption: – The hosts have the positioning devices and loosely synchronized clocks – Pair-wise keys have been deployed • Ideas: – The source and the intermediate hosts will attach the <time, position> pairs that record the receiving and forwarding events – The attached information is protected by message authentication codes (MAC) – The neighbor relation validations are conducted by the destination 118 Validation at the Destination • The MAC codes are calculated correctly • The neighbor hosts are within the radio range when the packet is passed • The average moving speed between the <time, position> pairs from the same host does not exceed the maximum value. 119 Controlling Overhead: Cell-based Open Tunnel Avoidance • Divide the area into same-sized cells and the time into same-length slots • Require a constant storage space and linear computation operations for every intermediate host • Have a configurable wormhole detection capability 120 Computation Efficiency • The experiments are conducted on a iPAQ 3630 with 206M Hz CPU and 64M RAM • The computation overhead of wormhole detection for one 10-hop route consumes less than 0.5% of its CPU. • The computation resource of a real PDA can support wormhole detection using COTA without trouble. 121 Conclusions • The end-to-end mechanism can detect half open and open wormholes in ad hoc networks • As a position information management scheme, COTA requires constant storage space and linear computation resource for every intermediate host • The proposed mechanism can be adopted by real mobile devices 122 2) Position-based Private Routing in Ad Hoc Networks • Problem statement – To hide the identities of the nodes who are involved in routing in mobile wireless ad hoc networks. • Challenges – Traditional ad hoc routing algorithms depend on private information (e.g., ID) exposure in the network. – Privacy solutions for P2P networks are not suitable in ad hoc networks. 123 Weak Privacy for Traditional Position-based Ad Hoc Routing Algorithm • Position information of each node has to be locally broadcast periodically. • Adversaries are able to obtain node trajectory based on the position report. • Adversaries can estimate network topology. • Once a match between a node position and its real ID is found, a tracer can always stay close to this node and monitor its behavior. 124 AO2P: Ad Hoc On-Demand Position-based Private Routing • Position of destination is the information exposed in the network for routing discovery. • A receiver-contention scheme is designed to determine the next hop in a route. • Pseudo IDs are used instead of real IDs for data packet delivery after a route is built up. • Route with a smaller number of hops will be used for better end-to-end throughput. 125 AO2P Routing Privacy and Accuracy • Only the position of destination is revealed in the network for routing discovery. The privacy of the destination relies on the difficulty of matching a position to a node ID. • Node mobility enhances destination privacy because a match between a position to a node ID is temporary. • The privacy for the source and the intermediate forwarders is well preserved. • Routing accuracy relies on the fact that at a specific time, only one node can be at a position. Since the pseudo ID for a node is generated from its position and the time it is at that position, the probability that more than one node have the same pseudo ID is negligible. 126 Privacy Enhancement: R-AO2P • The position of reference point is carried in rreq instead of the position of the destination. • The reference point is on the extended line from the sender to the destination. It can be used for routing discovery because generally, a node that processes the rreq closer to the reference point will also process the rreq closer to the destination. • The position of the destination is only disclosed to the nodes who are involved in routing. Reference point in R-AO2P 127 Illustrated Results • Average delay for next hop determination 128 Illustrated Results • Packet delivery ratio 129 Conclusions • AO2P preserves node privacy in mobile ad hoc networks. • AO2P has low next hop determination delay. • Compared to other position-based ad hoc routing algorithm, AO2P has little routing performance degradation. 130 3) Fault Tolerant Authentication in Movable Base Station System • Problem – To ensure security and prevent theft of resources (like bandwidth), all the packets originating inside the network should be authenticated. – Authentication may become unreliable when base station fails or node moves from one cell to another. • Challenge – How to design fault tolerant authentication methods that are robust in the above conditions – How to design the protocols adaptable and reconfigurable 131 Proposed Schemes • We propose two schemes to solve the problem. – Virtual Home Agent – Hierarchical Authentication • They differ in the architecture and the responsibilities that the Mobile Nodes and Base Stations (Agents) hold. 132 Virtual Home Agent Scheme VHA ID = IP ADDRESS Master Home Agent (MHA) Database Server Shared Secrets Database Backup Home Agents Other nodes in the network 133 Advantages of Proposed Scheme • Has only 3 states and hence the overhead of state maintenance is negligible. • Very few tasks need to be performed in each state (outlined in the tech report). • Flexible – there could be multiple VHAs in the same LAN and a MHA could be a BHA for another VHA, a BHA could be a BHA for more than one VHA at the same time. 134 Disadvantages of Virtual HA Solution • Not scalable if every packet has to be authenticated – Ex: huge audio or video data • BHA (Backup Home Agents) are idle most of the time (they just listen to MHA’s advertisements. • Central Database is still a single point of failure. 135 Hierarchical Authentication Scheme • Multiple Home Agents in a LAN are organized in a hierarchy (like a tree data structure). • A Mobile Node shares a key with each of the Agents above it in the tree (Multiple Keys). • At any time, highest priority key is used for sending packets or obtaining any other kind of service. 136 Hierarchical Authentication Scheme A K2 Database B K1 C Database D E F G (K1, P1) (K2, P2) 137 Hierarchical Authentication Scheme Key Priority depends on several factors and computed as cumulative sum of weighted priorities of each factors: Example Factors: • Communication Delays • Processing Speed of the Agents • Key Usage • Life Time of the Key 138 4) Congestion Avoidance Routing in Ad Hoc Networks • Objective – To bring the consideration of congestion in the design of the routing protocols. • Thrust – To avoid congestion by minimizing contention for channel access. • Challenges – The global coupling effect of wireless channel access in ad hoc networks. – Quantification of congestion without exchanging messages with neighbors. 139 Intermediate Delay (IMD) • IMD is a routing metric that characterizes the impacts of channel contention, the length of the route, and the traffic load at individual nodes. • IMD estimates the delay introduced by the intermediate nodes along the route using the sum of delays from each node. 140 Ad Hoc Routing Based on IMD B B C C A A 2P/C P/C D Simplification of delay computation: 1. If channel capacity is C and packet size is P, delay is P/C. P/C 2P/C E G F 2. If n nodes are in contention for a channel, each node gets C/n share of the channel capacity. The delay is nP/C. PC P/C H P/C J I Adapt to changes in traffic and network topology 141 Delay Estimation • A mobile node is modeled as a single server queuing system. • Total delay includes the delay for transmitting a packet and the delay in the queue. • The key is to estimate the delay for transmitting a packet. – Node with active traffic • Use the mean value to estimate the delay. – Node without active traffic • Study the procedure of packet transmission to obtain the expectation of the delay. 142 IEEE 802.11 DCF (Distributed Coordination Function) E[Tsucc]=TRTS+TCTS+TDATA+TACK+3TSIFS+E[Tbackoff] E[Tfail]=TRTS+Ttimeout+E[Tbackoff] 143 SAGA: Self-Adjusting Congestion Avoidance Routing Protocol • SAGA is a distance vector routing protocol. – use IMD instead of hop count as the distance – bypass hop spots where contention is intense • Lazy route query uses special route advertisement for local route discovery. • Approach to reduce the oscillation of IMD and prevent a node from switching back and forth among alternative routes. 144 Experimental Evaluation • Objective – Study the performance of SAGA, AODV, DSR, and DSDV under congestion. • Performance metrics – Throughput, delivery ratio, protocol overhead, and end-to-end delay • Method – Simulation using the network simulator ns2 – Two types of UDP traffic: constant bit rate (CBR) and pareto on/off (POO) – The offered traffic load is taken as the input parameter – Six experiments by varying the maximum speed of movement of nodes and the number of connections – Five independent runs with random scenarios for each experiment 145 30 CBR Connections, Low Mobility (4m/s) 146 10 POO Connections, High Mobility (20m/s) 147 Other Related Ongoing Research 1. Time-based private routing in ad hoc networks 2. Trust-based Privacy Preservation for Peer-to-peer Data Sharing 148 149 E. Trust-based Privacy Preservation for Peer-toPeer Data Sharing Problem statement • Privacy in peer-to-peer systems is different from the anonymity problem • Preserve privacy of requester • A mechanism is needed to remove the association between the identity of the requester and the data needed 150 Proposed solution • A mechanism is proposed that allows the peers to acquire data through trusted proxies to preserve privacy of requester – The data request is handled through the peer’s proxies – The proxy can become a supplier later and mask the original requester 151 Related work • Trust in privacy preservation – Authorization based on evidence and trust, [Bhargava and Zhong, DaWaK’02] – Developing pervasive trust [Lilien, CGW’03] • Hiding the subject in a crowd – K-anonymity [Sweeney, UFKS’02] – Broadcast and multicast [Scarlata et al, INCP’01] 152 Related work (2) • Fixed servers and proxies – Publius [Waldman et al, USENIX’00] • Building a multi-hop path to hide the real source and destination – FreeNet [Clarke et al, IC’02] – Crowds [Reiter and Rubin, ACM TISS’98] – Onion routing [Goldschlag et al, ACM Commu.’99] 153 Related work (3) 5 • p [Sherwood et al, IEEE SSP’02] 5 p – provides sender-receiver anonymity by transmitting packets to a broadcast group • Herbivore [Goel et al, Cornell Univ Tech Report’03] – Provides provable anonymity in peer-to-peer communication systems by adopting dining cryptographer networks 154 Privacy measurement • A tuple <requester ID, data handle, data content> is defined to describe a data acquirement. • For each element, “0” means that the peer knows nothing, while “1” means that it knows everything. • A state in which the requester’s privacy is compromised can be represented as a vector <1, 1, y>, (y Є [0,1]) from which one can link the ID of the requester to the data that it is interested in. 155 Privacy measurement (2) For example, line k represents the states that the requester’s privacy is compromised. 156 Mitigating collusion • An operation “*” is defined as: c1 , c2 , c3 a1 , a2 , a3 b1 , b2 , b3 max( ai , bi ), ci 0, ai 0 and bi 0; otherwise. • This operation describes the revealed information after a collusion of two peers when each peer knows a part of the “secret”. • The number of collusions required to compromise the secret can be used to evaluate the achieved privacy 157 Trust based privacy preservation scheme • The requester asks one proxy to look up the data on its behalf. Once the supplier is located, the proxy will get the data and deliver it to the requester – Advantage: other peers, including the supplier, do not know the real requester – Disadvantage: The privacy solely depends on the trustworthiness and reliability of the proxy 158 Trust based scheme – Improvement 1 • To avoid specifying the data handle in plain text, the requester calculates the hash code and only reveals a part of it to the proxy. • The proxy sends it to possible suppliers. • Receiving the partial hash code, the supplier compares it to the hash codes of the data handles that it holds. Depending on the revealed part, multiple matches may be found. • The suppliers then construct a bloom filter based on the remaining parts of the matched hash codes and send it back. They also send back their public key certificates. 159 Trust based scheme – Improvement 1 – cont. • Examining the filters, the requester can eliminate some candidate suppliers and finds some who may have the data. • It then encrypts the full data handle and a data transfer key k Datawith the public key. • The supplier sends the data back using k Data through the proxy • Advantages: – It is difficult to infer the data handle through the partial hash code – The proxy alone cannot compromise the privacy – Through adjusting the revealed hash code, the allowable error of the bloom filter can be determined 160 Data transfer procedure after improvement 1 Requester Proxy of Requester Supplier R: requester S: supplier Step 1, 2: R sends out the partial hash code of the data handle Step 3, 4: S sends the bloom filter of the handles and the public key certificates Step 5, 6: R sends the data handle and k Data encrypted by the public key Step 7, 8: S sends the required data encrypted by k Data 161 Trust based scheme – Improvement 2 • The above scheme does not protect the privacy of the supplier • To address this problem, the supplier can respond to a request via its own proxy 162 Trust based scheme – Improvement 2 Requester Proxy of Requester Proxy of Supplier Supplier 163 Trustworthiness of peers • The trust value of a proxy is assessed based on its behaviors and other peers’ recommendations • Using Kalman filtering, the trust model can be built as a multivariate, time-varying state vector 164 Experimental platform - TERA • Trust enhanced role mapping (TERM) server assigns roles to users based on – Uncertain & subjective evidences – Dynamic trust • Reputation server – Dynamic trust information repository – Evaluate reputation from trust information by using algorithms specified by TERM server 165 Trust enhanced role assignment architecture (TERA) RBAC enhanced application server Interactions User's behavior Assigned role Trust based on behaviors Role request Alice Reputation TERM server Trust based on behaviors Reputation server Assigned role Bob Role request Reputation TERM server Interactions TERA User's behavior RBAC enhanced application server 166 Conclusion • A trust based privacy preservation method for peer-to-peer data sharing is proposed • It adopts the proxy scheme during the data acquirement • Extensions – Solid analysis and experiments on large scale networks are required – A security analysis of the proposed mechanism is required 167 • More information may be found at http://raidlab.cs.purdue.edu • Our papers and tech reports W. Wang, Y. Lu, B. Bhargava, On vulnerability and protection of AODV, CERIAS Tech Report TR-02-18. B. Bhargava, Y. Zhong, Authorization based on Evidence and Trust, in Proceedings of Data Warehouse and Knowledge Management Conference (DaWak), 2002 Y. Lu, B. Bhargava and M. Hefeeda, An Architecture for Secure Wireless Networking, IEEE Workshop on Reliable and Secure Application in Mobile Environment, 2001 W. Wang, Y. Lu, B. Bharagav, “On vulnerability and protection of AODV”, in proceedings of ICT 2003. W. Wang, Y. Lu, B. Bhargava, “On security study of two distance vector routing protocols for two mobile ad hoc networks”, in proceedings of PerCOm 2003. 168 Selected References • • • • • • • • [1] C. Perkins and E. Royer, “Ad-hoc on-demand distance vector routing,” in Proceedings of the 2nd IEEE Workshop on Mobile Computing Systems and Applications, 1999. [2] C. Perkins, “Highly dynamic destination-sequenced distancevector routing (DSDV) for mobile computers,” in Proceedings of SIGCOMM, 1994. [3] Z. Haas and M. Pearlman, “The zone routing protocol (ZRP) for ad hoc networks,” IETF Internet Draft, Version 4, July, 2002. [4] T. Camp, J. Boleng, B. Williams, L. Wilcox, and W. Navidi, “Performance comparison of two location based routing protocols for ad hoc networks,” in Proceedings of the IEEE INFOCOM, 2002. [5] Z. Haas, J. Halpern, and L. Li, “Gossip-based ad hoc routing,” in Proceedings of the IEEE INFOCOM, 2002. [6] C. Perkins, E. Royer, and S. Das, “Performance comparison of two on-demand routing protocols for ad hoc networks,” in Proceedings of IEEE INFOCOM, 2000. [7] S. Das and R. Sengupta, “Comparative performance evaluation of routing protocol for mobile, ad hoc networks,” in Proceedings of IEEE the Seventh International Conference on Computer Communications and Networks, 1998. [8] L. Venkatraman and D. Agrawal, “Authentication in ad hoc networks,” in Proceedings of the 2nd IEEE Wireless Communications and Networking Conference, 2000. 169 Selected References • • • • • • • [9] Y. Zhang and W. Lee, “Intrusion detection in wireless ad-hoc networks,” in Proceedings of ACM MobiCom, 2000. [10] Z. Zhou and Z. Haas, “Secure ad hoc networks,” IEEE Networks, vol. 13, no. 6, pp. 24–30, 1999. [11] V. Bharghavan, “Secure wireless LANs,” in Proceedings of the ACM Conference on Computers and Communications Security, 1994. [12] P. Sinha, R. Sivakumar, and V. Bharghavan, “Enhancing ad-hoc routing with dynamic virtual infrastructures.,” in Proceedings of IEEE INFOCOM, 2001. [13] S. Bhargava and D. Agrawal, “Security enhancements in AODV protocol for wireless ad hoc networks,” in Proceedings of Vehicular Technology Conference, 2001. [14] P. Papadimitratos and Z. Haas, “Secure routing for mobile ad hoc networks,” in Proceedings of SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS), 2002. [15] P. Albers and O. Camp, “Security in ad hoc network: A general id architecture enhancing trust based approaches,” in Proceedings of International Conference on Enterprise Information Systems (ICEIS), 2002. 170 171