Collaborative Attacks in
Wireless Ad Hoc Networks*
Prof. Bharat Bhargava
Department of Computer Sciences
Center for Education and Research in Information Assurance and Security (CERIAS )
Purdue University
www.cs.purdue.edu/people/bb
*
Supported in part by NSF grant IIS 0209059, 0242840
Outline





Characterizing collaborative/coordinated attacks
Types of collaborative attacks
Open issues
Proposed solutions
Conclusions and outlook
2
Collaborative Attacks
Informal definition:
“Collaborative attacks (CA) occur when more than
one attacker or running process synchronize their
actions to disturb a target network”
3
Collaborative Attacks (cont’d)

Forms of collaborative attacks





Multiple attacks occur when a system is disturbed by
more than one attacker
Attacks in quick sequences is another way to
perpetrate CA by launching sequential disruptions in
short intervals
Attacks may concentrate on a group of nodes or
spread to different group of nodes just for confusing
the detection/prevention system in place
Attacks may be long-lived or short-lived
Attacks on routing
4
Collaborative Attacks (cont’d)

Open issues




Comprehensive understanding of the coordination
among attacks and/or the collaboration among various
attackers
Characterization and Modeling of CAs
Intrusion Detection Systems (IDS) capable of
correlating CAs
Coordinated prevention/defense mechanisms
5
Collaborative Attacks (cont’d)

From a low-level technical point of view, attacks
can be categorized into:







Attacks that may overshadow (cover) each other
Attacks that may diminish the effects of others
Attacks that interfere with each other
Attacks that may expose other attacks
Attacks that may be launched in sequence
Attacks that may target different areas of the network
Attacks that are just below the threshold of detection
but persist in large numbers
6
Examples of Attacks that can Collaborate







Denial-of-Messages (DoM) attacks
Blackhole attacks
We are investigating the
Wormhole attacks
interactions among these
forms of attacks
Replication attacks
Sybil attacks
Rushing attacks
Example of probably
Malicious flooding
incompatible attacks:
Wormhole attacks need fast
connections, but DoM attacks
reduce bandwidth!
7
Examples of Attacks that can Collaborate
(cont’d)

Denial-of-Messages (DoM) attacks


Blackhole attacks


Malicious nodes may prevent other honest ones from
receiving broadcast messages by interfering with their
radio
A node transmits a malicious broadcast informing that
it has the shortest and most current path to the
destination aiming to intercept messages
Wormhole attacks

An attacker records packets (or bits) at one location in
the network, tunnels them to another location, and
retransmits them into the network at that location
8
Examples of Attacks that can Collaborate
(cont’d)

Replication attacks


Adversaries can insert additional replicated hostile
nodes into the network after obtaining some secret
information from the captured nodes or by infiltration.
Sybil attack is one form of replicated attacks
Sybil attacks

A malicious user obtains multiple fake identities and
pretends to be multiple, distinct nodes in the system.
This way the malicious nodes can control the decisions
of the system, especially if the decision process
involves voting or any other type of collaboration
9
Examples of Attacks that can Collaborate
(cont’d)

Rushing attacks


An attacker disseminates a malicious control messages
fast enough to block legitimate messages that arrive
later (uses the fact that only the first message
received by a node is used preventing loops)
Malicious flooding

A bad node floods the network or a specific target
node with data or control messages
10
Current Proposed Solutions

Blackhole attack detection


Wormhole Attacks: defense mechanism


E2E detector and Cell-based Open Tunnel Avoidance
(COTA)
Sybil Attack detection


Reverse Labeling Restriction (RLR)
Light-weight method
architecture [Yi06]
based
on
hierarchical
Modeling Collaborative Attacks using Causal
Model
11
Blackhole attack detection: Reverse
Labeling Restriction (RLR)




Every host maintains a blacklist to record suspicious hosts
who gave wrong route related information
Blacklists are updated after an attack is detected
The destination host will broadcast an INVALID packet
with its signature when it finds that the system is under
attack on sequence. The packet carries the host’s
identification, current sequence, new sequence, and its
own blacklist
Every host receiving this packet will examine its route
entry to the destination host. The previous host that
provides the false route will be added into this host’s
blacklist
12
RLR (cont’d)
Detecting false destination sequence attack by destination
host during route rediscovery


During Route Rediscovery, False Destination Sequence
Number Attack is Detected, S needs to find D again
Node movement breaks the path from S to M (trigger
route rediscovery)
(1). S broadcasts a
request that carries the
old sequence + 1 = 21
D
S3
RREQ(D, 21)
S
S1
S2
S4
(2) D receives the RREQ.
Local sequence is 5, but the
sequence in RREQ is 21. D
detects the false destination
sequence number attack.
M
Propagation of RREQ
13
RLR (cont’d)

Correct destination sequence number is broadcasted.
Blacklist at each host in the path is determined
BL {}
S3
D
BL {}
INVALID ( D, 5, 21,
BL{}, Signature )
S4
BL {S1}
S
S1 BL {S2}
S2
BL {M}
M
BL {}
S4
BL {}
14
RLR (cont’d)

Malicious site is in blacklists of multiple destination hosts
D1
S4
[M]
D3
[M]
S1
D2
M
[M]
S3
D4
[M]
S2
M attacks 4 routes (S1-D1, S2-D2, S3-D3, and S4-D4). When the first two
false routes are detected, D3 and D4 add M into their blacklists. When later
D3 and D4 become victim destinations, they will broadcast their blacklists,
and every host will get two votes that M is malicious host
15
RLR (cont’d)
Acceleration in Intruder Identification
Multiple attackers trigger more blacklists to be broadcasted by D1,
D2, D3
D3
D2
D1
M2
M3
M1
S1
S2
S3
Coordinated attacks by M1, M2, and M3
16
RLR (cont’d)

Update Blacklist by Broadcasted Packets from
Destinations under Attack


Next hop on the false route will be put into local
blacklist, and a counter increases. The time duration
that the host stays in blacklist increases exponentially
to the counter value
When timer expires, the suspicious host will be
released from the blacklist and routing information
from it will be accepted
17
RLR: Deal With Hosts in Blacklist

Packets from hosts in blacklist




Route request: If the request is from suspicious hosts,
ignore it
Route reply: If the previous hop is suspicious and the
query destination is not the previous hop, the reply will
be ignored
Route error: Will be processed as usual. RERR will
activate re-discovery, which will help to detect attacks
on destination sequence
Broadcast of INVALID packet: If the sender is
suspicious, the packet will be processed but the
blacklist will be ignored
18
Attacks of Malicious Hosts on RLR

Attack 1: Malicious host M sends false INVALID
packet


Because the INVALID packets are signed, it cannot
send the packets in other hosts’ name
M sends INVALID in its own name
 If the reported sequence number is greater than the
real sequence number, every host ignores this attack
 If the reported sequence number is less than the
real sequence number, RLR will converge at the
malicious host. M is included in blacklist of more
hosts. M accelerated the intruder identification
directing towards M
19
Attacks on RLR (cont’d)

Attack 2: Malicious host M frames other innocent
hosts by sending false blacklist
 If the malicious host has been identified, the
blacklist will be updated
 If the malicious host has not been identified,
this operation can only make the threshold
lower. If the threshold is selected properly, it
will not impact the identification results
 Combining trust can further limit the impact of
this attack
20
Attacks on RLR (cont’d)

Attack 3: Malicious host M only sends false
destination sequence about some special host


The special host will detect the attack and send
INVALID packets
Other hosts can establish new routes to the destination
by receiving the INVALID packets
21
Two Attacks in Collaboration: blackhole & replication


The RLR scheme cannot detect the two attacks working
simultaneously
The malicious node M relies on the replicated
neighboring nodes to avoid the blacklist
D1
S4
[M]
D3
[M]
D2
M
[M]
S3
D4
[M]
Replicated nodes
S1
S2
Regular nodes
22
Wormhole Attacks defense



A pair of attackers can form a tunnel, fabricating
a false scenario that a short path between sender
and receiver exists, and so packets go through a
wormhole path being either compromised or
dropped
In many routing protocols, mobile nodes depend
on the neighbor discovery procedure to construct
the local network topology
Wormhole attacks can harm some routing
protocols by inducing a node to believe that a
further away node is its neighbor
23
Wormhole Attacks:
proposed defense mechanism




This is a preliminary mechanism to classify
wormhole attacks in its various forms
It takes a more generic approach than previous
work in the sense that it is end-to-end and does
not rely on trust among neighbors
It assumes trust between sender and receiver
only to detect wormhole attacks on a multi-hop
route
Geographic information is used to detect
anomalies in neighbor relation and node
movements
24
Wormhole Attacks:
proposed defense mechanism (cont’d)

The e2e mechanism
can detect:



Closed wormhole
Half open wormhole
Open wormhole
25
Wormhole Attacks:
proposed defense mechanism (cont’d)

The approach requires considerable computation
and storage power as periodical wormhole
detection packets are transmitted and the
response are used to compute nodes position,
velocity etc

Because of that, an additional scheme called
COTA is proposed to manage the detection
information. It records and compares only a part of
the <time, position> pairs

Using a suitable relaxation, COTA has the same
detection capability as the end-to-end mechanism
26
Wormhole Attacks:
proposed defense mechanism (cont’d)

Simulation evaluations: false positive with no
attack
27
Wormhole Attacks:
proposed defense mechanism (cont’d)

Simulation evaluations: false positive with attack
28
Sybil Attack Detection

A Hierarchical Architecture for Sybil Attack
Detection
The Sybil attack is a harmful threat to sensor
networks


Sybil attack can disrupt multi-path routing protocols by
using a single node to present multiple identities for
the multiple paths
Existing approaches are not oriented toward energy
29
Sybil Attack Detection: Proposed Method





Use identity certificates to defend against Sybil attacks
Each node is assigned some unique information by the
setup server
The server then creates an identity certificate for each
level-0 node binding this node’s identity to the assigned
unique information
The group leader creates an identity certificate for its
group member (level-1 node)
To securely demonstrate its identity, a node first presents
its identity certificate, then it proves that it possesses the
associated unique information
30
Sybil Attack Detection: System Assumption




Two types of nodes: Level-0 and level-1 nodes
The distribution of level-0 nodes is roughly uniform
All nodes are preloaded with a global initial key KI
Each node has a unique ID
Level-0 node
Level-1 node
31
Identity Certificate Generation for Level-0 Nodes


Each level-0 node g uses its key seed Kg,l
to
generates N-1 key seeds. Ex. The key seed of
f
node g for node f as K g ,l= Kg,l + f
Node g generates a one-way key chain
f
K g ,0


f
K g ,1
f
K g ,l
,
, …,
The setup server first creates the low-level Merkle
hash tree using the key chain
f
commitment K g ,0
The setup server then creates a high-level Merkle
hash tree for level-0 nodes
32
Identity Certificate Generation for Level-0
Nodes (cont’d)


The setup server then downloads the identity
certificate IDCertg and the label of the high-level
Merkle tree’s root C to each level-0 node g
 IDCertg = <vg , AuthPathg>
Level-0 node g can create a low-level certificate
for level-0 node f using the low-level Merkle hash
tree
f
f
IDCert
K

:
=<
g
g ,0 || f , AuthPathg,f>
33
An example of Two Levels of Merkle Hash Trees
High-level Merkle hash tree
C
u2
u1
u3
u3  H  v1 || v2 
IDCert4 = <v4, AuthPath4>
AuthPath4={v3, u3, u2}
v1
u4
v2
v3
IDCert  K
2
4,0
|| 2,{K
m3  H  K
1
4,0
1
4,0
||1|| K
|| 2 
v5
v6
v7
v8
C4
m2
m1
||1, m4 , m2 } 
2
4,0
v4
u6
v4=H(C4||4)
Low-level Merkle hash tree
2
4
u5
m3
K 41.0 || 1 K 42.0 || 2
m4
m5
m6
K 43.0 || 3 K 45.0 || 5 K 46.0 || 6 K 47.0 || 7 K 48.0 || 8
34
Identity Certificate Generation for Level-1 Nodes


After deployment, the level-0 node g as the group
leader starts the self-organization process
After the localized self-organization process, the
group leader g stores its group member’s identity
i and the key seed commitment Ki,0
35
Identity Verification

After deployment, level-0 node g can prove its
identity to another level-0 node f on demand


node g  node f: <g|IDCertg| IDCert gf >
Indirect identity verification between the group
members in the different groups




Let node i and node k be neighboring nodes, but
belong to two different groups
Node i can prove its identity to its group leader g
Node k can prove its identity to its group leader f
Group leaders g and f pass the verification results to
each other
36
Secure Communication
Intra-group exchanges
 i and i  same group
 In round 0, two nodes i
and j exchange their
identity and identity
certificates together
with the hashes of their
first messages
 Then, they continue
exchanging messages
authentications with
successive keys in their
key chains
node i
i IDCerti
Round 0:
j IDCertj
Round 1:
node j
IDCert ij
H(A1 , K i ,j1 )
IDCert ij
H(B1 , K ij ,1 )
A1 K i,j1
H(A2 , K i,j2 )
i
B1 K j ,1 H(B2 , K ij ,2 )
Round 2:
A2 K i,j2
H(A3 , K i ,j3 )
i
B2 K j ,2 H(B3 , K ij ,3 )
37
Secure Communication (cont’d)
Inter-group exchanges
 g and f  group leaders
 In round 0, two nodes i
and k prove their
identity to each other
and exchange the
hashes of their first
messages through their
group leaders
 Then, they continue
exchanging messages
authentications with
successive keys in their
key chains
IDCert ig H(A1 , K ik,1 )
IDCerti
i
Round 0:
node i
{
}
node g
i
g IDCertg IDCert g
i
k IDCertk IDCert kf H(B1 , K k ,1 )
{
node k
{
node g
node i
Round 1:
f IDCertf
}
node f
IDCert kf
g IDCertg
IDCert gf
H(A1 , K ik,1 ) i
IDCertf
IDCert gf
H(B1 , K ki ,1 ) k
f
A1
K ik,1
H(A2 , K ik,2 )
}
node f
node k
B1 K ki ,1 H(B2 , K ki ,2 )
Round 2:
A2
K ik, 2
H(A3 , K ik,3 )
i
B2 K k ,2 H(B3 , K ki ,3 )
38
160
160
140
140
120
Memory Usage (KB)
Memory Usage (KB)
Performance Evaluation
HSybil-Level0
100
HSybil-Level1
80
60
40
20
120
HSybil-Level0
100
HSybil-Level1
80
60
40
20
0
0
0
20
40
60
80
100
0
500
Num ber of Nodes per Group
Time (s)
Energy Consumption
(mJ)
HSybil
1.5
1
0.5
0
20
40
60
80
Num ber of Nodes per Group
2000
2500
Energy Consum ption for Identity Certificates
Generation
60
2.5
0
1500
Num ber of Sensor Nodes
Identity Certification Generation Tim e
2
1000
100
HSybil-Level0
50
HSybil-Level1
40
30
20
10
0
0
20
40
60
80
100
Num ber of Nodes per Group
39
Identity Certificate Generation for Level-1
Nodes (cont’d)





The group leader g first creates a low-level Merkle
hash tree using the key chain commitment
K i ,j0
The group leader g then creates a high-level Merkle
hash tree for its group members
The group leader g then downloads the identity
certificate IDCerti to each group member i
The group leader g downloads the low-level Merkle
hash tree to each group member i
Then the group member i can create a low-level
certificate for another group member j using the lowlevel Merkle hash tree
40
Modeling Collaborative Attacks

Attack graph


A general model technique used in assessing
security vulnerabilities of a system and all
possible sequences of exploits an intruder
can take to achieve a specific goal
We are currently working on a modeling for
collaborative graph attacks to identify
not only sequence of exploits but also
concurrent and collaborative exploits. This
leads to our Causal Model
41
Causal model
Purposes:
 Identify all attacks events that occur during the launch
of individual and collaborative attacks


Establish a partial order (or causal relationship) among
all attack events and produce a “causal attack graph”
Verify the security properties of the causal attack graph
using model checking techniques.

Specifically, verify a sequence of events that lets the security
checker proceeds from initial state to the goal state
42
Causal model (cont’d)

Identify the set of events that are critical to perform the
attacks.


Specifically, investigate how to find a minimum set of events
that, once removed, would disable the attacks
Determine whether the occurrences of some event/state
transitions are based on message transmission or
collaboration

Based on this, one can infer the degree of collaboration and
temporal ordering in the system
43
Causal model (cont’d)




A collaborative attack X can be modeled as a set of attacks
{Xi} such that Xi is the local attack launched by attacker n
Each local attack Xi is modeled by a FSM (finite state
machine) and has independent state and event
specifications, such as preconditions, postconditions, and
state transition rules
In simple distributed attacks such as Distributed Denial-ofService Attacks, the FSMs of each local attack can be the
same. However, in sophisticated collaborative attacks, FSMs
of local attacks are not necessarily homogeneous
Each local attack Xi can be formally defined as:
<Sn, En, Mn, Ln>

Sn denotes a set of states in the local attack, En denotes a set of events
in the local attack, Mn denotes a set of communication messages, and Ln
denotes a set of local operations on Mn.
44
Causal model (cont’d)



In collaborative attacks, events in attacks occur in
certain sequences. A sequence of attack events may
cause more damage to the system than others
There are certain relationships among the events and
we model the relationships by causal rules.
Definition of causal rules




A causal rule U consists of
<P, Q, A>
P and Q are events
A is one of the causal relationships (->, , - >)
45
Conclusions



Exciting area of research
Modeling attacks in collaboration is a very
topical issue
Tradeoff
between
accuracy
and
computation inexpensiveness is critical
46
Future work





A lightweight learning toll is to be applied to
enhance our current approaches
The remaining types of attacks will be addressed
Models for detecting attacks in collaboration are
underway and the causal model will be evaluated
in depth
General guidelines will be defined to protect ad
hoc networks from potential attacks
More simulations and real life experiments
47
References (1)
[BC03]
P. Brutch and C. Ko, “Challenges in Intrusion Detection for Ad Hoc Networks,” Proc.
IEEE Workshop on Security and Assurance in Ad hoc Networks, Jan. 2003.
[BH83]
B. Bhargava and C. Hua, “A Causal Model for Analyzing Distributed Concurrency
Control Algorithms,” IEEE Transactions on Software Engineering, 1983.
[CT04]
B. Culpepper, H. Tseng, “Sinkhole Intrusion Indicators in DSR MANETs,” Proc.
Broadnet, 2004.
[DB05]
S. Desilva and RV. Boppana, “Mitigating Malicious Control Packet Floods in Ad Hoc
Networks,” Proc. IEEE Wireless Communications and Networking Conference, 2005.
[DETER] DETER: A Laboratory for Security Research, http://www.isi.edu/deter/.
[Do02]
J. Douceur, “The Sybil Attack,” Proc. IPTPS, Feb. 2002.
[FQL06] H. Fu , S. Kawamura, and C. Li, “ Blom-based Q-composite: A Generalized
Framework of Random Key Pre-distribution Schemes for Wireless Sensor Networks,”
Proc. IEEE International Conference on Intelligent Robots and Systems, Oct. 2006.
[HPJ03] Y.-C. Hu, A. Perrig and D. B. Johnson, “Packet Leashes: A Defense against
Wormhole Attacks in Wireless Ad Hoc Networks,” Proc. INFOCOM, Apr 2003.
[HPJ03a] Y.-C. Hu, A. Perrig, and D. B. Johnson, “Rushing Attacks and Defense in Wireless Ad
Hoc Network Routing Protocols,” ACM Workshop on Wireless Security (WiSe), Sep
2003.
[HL03]
Y. Huang, W. Lee, “A cooperative intrusion detection system for ad hoc networks,”
Proc. SASN, 2003.
[HPJ03] Y. Hu, A. Perrig, and D. Johnson, “Rushing Attacks and Defense in Wireless Ad Hoc
Network Routing Protocols,” Proc. ACM workshop on Wireless Security (WiSe),
2003.
48
References (2)
[La78]
L. Lamport, Time clocks, and the ordering of events in a distributed, system,
Communication of ACM, vol.21, pp.558-564, July 1978.
[MGLB00] S. Marti, T. J. Giuli, K. Lai, and M. Baker, “Mitigating routing misbehavior in mobile
ad hoc networks,” Proc. ACM/IEEE Internatl. Conference on Mobile Computing and
Networking., 2000.
[MSPR05] J. M. McCune, E. Shi, A. Perrig and M. K.Reiter, “Detection of Denial-of-Message
Attacks on Sensor Network Broadcasts,” Proc. IEEE Symposium on Security and
Privacy, May 2005.
[MFMG05] K. Mandalas, D. Flitzanis, G. F. Marias, and P. Georgiadis, "A Survey of Several
Cooperation Enforcement Schemes for MANETs," Proc. IEEE ISSPIT2005,
Symposium on "Security and Privacy in Mobile and Wireless Computing, Dec. 2005,
[NM04] K. Nadkarni and A. Mishra, "A novel intrusion detection scheme for wireless ad hoc.
networks,” Proc. IEEE WCNC’04, Mar., 2004.
[PPJK+05] A. Patwardhan, J. Parker, A. Joshi, A. Karygiannis and M. Iorga. "Secure Routing
and Intrusion Detection in Ad Hoc Networks," Proc. third IEEE International
Conference on Pervasive Computing and Communications, Mar. 2005.
[PM03]
A. Patcha and A. Mishra, “Collaborative security architecture for black hole attack
prevention in mobile ad hoc networks,” Proc. Radio and Wireless Conference
RAWCON, Aug. 2003.
[QSL05] L. Qian, N. Song and X. Li, “Detecting and locating wormhole attacks in wireless
ad hoc networks through statistical analysis of multi-path,” IEEE Wireless
Communications and Networking Conference (WCNC), Mar. 2005.
49
References (3)
[RB05]
R. Oliveira and T. Braun, "A Dynamic Adaptive Acknowledgment Strategy for TCP
over Multihop Wireless Networks," Proc. IEEE INFOCOM, Mar.2005.
[RB07]
R. Oliveira and T. Braun, "A Smart TCP Acknowledgment Approach for Multihop
Wireless Networks," IEEE Transactions on Mobile Computing, Vol. 6, No. 2, pp.
192-205, Feb. 2007.
[RFKN05] S. Ramaswamy, H. Fu, and K. Nygard, “Effect of Cooperative Black Hole Attack on
Mobile Ad Hoc Networks,” Proc. ICWN, Jun. 2005.
[SBCW05] D. Sterne, et al.,”A General Cooperative Intrusion Detection Architecture for
MANETs,” Proc. Third IEEE IWIA’05, Mar. 2005.
[SLDL+05] K. Sanzgiri, D. LaFlamme, B. Dahill, B. Levine, C. Shields, and E. Belding-Royer,
"Authenticated Routing for Ad hoc Networks," IEEE Journal on Selected Areas in
Commun., pp. 598-610, 2005.
[Yi06]
J. Yin, “Poblems and Solutions for Handling Attacks in Sensor Networks,” Ph.D.
thesis, University of Missouri-Rolla, Dez. 2006.
[YML02]
H. Yang, X. Meng, and S. Lu, “Self-organized network-layer security in mobile ad
hoc networks,” Proc. ACM Workshop on Wireless Security (WiSe), 2002.
[WBLW06] W. Wang, B. Bhargava, Y. Lu, and X. Wu, “Defending against Wormhole Attacks in
Mobile Ad Hoc Networks,” WCMC, vol. 6, issue 4, pp. 483-503, Jun. 2006.
50