collaborative attacks in wireless ad hoc networks *
DESCRIPTION
Collaborative Attacks in Wireless Ad Hoc Networks *. Prof. Bharat Bhargava Department of Computer Sciences Center for Education and Research in Information Assurance and Security (CERIAS ) Purdue University www.cs.purdue.edu/people/bb * Supported in part by NSF grant IIS 0209059, 0242840. - PowerPoint PPT PresentationTRANSCRIPT
Collaborative Attacks in Wireless Ad Hoc Networks*
Prof. Bharat Bhargava
Department of Computer Sciences Center for Education and Research in Information Assurance and Security
(CERIAS )Purdue University
www.cs.purdue.edu/people/bb
* Supported in part by NSF grant IIS 0209059, 0242840
2
Outline
Characterizing collaborative/coordinated attacks
Types of collaborative attacks Open issues Proposed solutions Conclusions and outlook
3
Collaborative Attacks
Informal definition:
“Collaborative attacks (CA) occur when more than one attacker or running process
synchronize their actions to disturb a target network”
4
Collaborative Attacks (cont’d)
Forms of collaborative attacks Multiple attacks occur when a system is
disturbed by more than one attacker Attacks in quick sequences is another way to
perpetrate CA by launching sequential disruptions in short intervals
Attacks may concentrate on a group of nodes or spread to different group of nodes just for confusing the detection/prevention system in place
Attacks may be long-lived or short-lived Attacks on routing
5
Collaborative Attacks (cont’d)
Open issues Comprehensive understanding of the
coordination among attacks and/or the collaboration among various attackers
Characterization and Modeling of CAs Intrusion Detection Systems (IDS) capable of
correlating CAs Coordinated prevention/defense mechanisms
6
Collaborative Attacks (cont’d)
From a low-level technical point of view, attacks can be categorized into: Attacks that may overshadow (cover) each
other Attacks that may diminish the effects of others Attacks that interfere with each other Attacks that may expose other attacks Attacks that may be launched in sequence Attacks that may target different areas of the
network Attacks that are just below the threshold of
detection but persist in large numbers
7
Examples of Attacks that can Collaborate
Denial-of-Messages (DoM) attacks Blackhole attacks Wormhole attacks Replication attacks Sybil attacks Rushing attacks Malicious flooding
We are investigating the interactions among these forms of attacks
Example of probablyincompatible attacks:
Wormhole attacks need fast connections, but DoM attacks reduce bandwidth!
8
Examples of Attacks that can Collaborate (cont’d)
Denial-of-Messages (DoM) attacks Malicious nodes may prevent other honest ones
from receiving broadcast messages by interfering with their radio
Blackhole attacks A node transmits a malicious broadcast informing
that it has the shortest and most current path to the destination aiming to intercept messages
Wormhole attacks An attacker records packets (or bits) at one location
in the network, tunnels them to another location, and retransmits them into the network at that location
9
Examples of Attacks that can Collaborate (cont’d)
Replication attacks Adversaries can insert additional replicated
hostile nodes into the network after obtaining some secret information from the captured nodes or by infiltration. Sybil attack is one form of replicated attacks
Sybil attacks A malicious user obtains multiple fake identities
and pretends to be multiple, distinct nodes in the system. This way the malicious nodes can control the decisions of the system, especially if the decision process involves voting or any other type of collaboration
10
Examples of Attacks that can Collaborate (cont’d)
Rushing attacks An attacker disseminates a malicious control
messages fast enough to block legitimate messages that arrive later (uses the fact that only the first message received by a node is used preventing loops)
Malicious flooding A bad node floods the network or a specific
target node with data or control messages
11
Current Proposed Solutions
Blackhole attack detection Reverse Labeling Restriction (RLR)
Wormhole Attacks: defense mechanism E2E detector and Cell-based Open Tunnel
Avoidance (COTA) Sybil Attack detection
Light-weight method based on hierarchical architecture [Yi06]
Modeling Collaborative Attacks using Causal Model
12
Blackhole attack detection: Reverse Labeling Restriction (RLR)
Every host maintains a blacklist to record suspicious hosts who gave wrong route related information
Blacklists are updated after an attack is detected The destination host will broadcast an INVALID
packet with its signature when it finds that the system is under attack on sequence. The packet carries the host’s identification, current sequence, new sequence, and its own blacklist
Every host receiving this packet will examine its route entry to the destination host. The previous host that provides the false route will be added into this host’s blacklist
13
RLR (cont’d)
During Route Rediscovery, False Destination Sequence Number Attack is Detected, S needs to find D again
Node movement breaks the path from S to M (trigger route rediscovery)
D
S S1
S2 M
S3
S4
RREQ(D, 21)
(1). S broadcasts a request that carries the old sequence + 1 = 21
(2) D receives the RREQ. Local sequence is 5, but the sequence in RREQ is 21. D detects the false destination sequence number attack.
Propagation of RREQ
Detecting false destination sequence attack by destination host during route rediscovery
14
RLR (cont’d) Correct destination sequence number is
broadcasted. Blacklist at each host in the path is determined
D
S S1
S2M
S3
S4
BL {}
BL {S2}
BL {}BL {M}
BL {S1}
BL {}
INVALID ( D, 5, 21, BL{}, Signature )
S4
BL {}
15
RLR (cont’d) Malicious site is in blacklists of multiple destination hosts
D4
D1
S3
S1
M
D3
S4
S2
D2
[M]
[M]
[M]
[M]
M attacks 4 routes (S1-D1, S2-D2, S3-D3, and S4-D4). When the first two false routes are detected, D3 and D4 add M into their blacklists. When later D3 and D4 become victim destinations, they will broadcast their blacklists, and every host will get two votes that M is malicious host
16
RLR (cont’d)Acceleration in Intruder Identification
Multiple attackers trigger more blacklists to be broadcasted by D1, D2, D3
D3
M1
S1
D1
Coordinated attacks by M1, M2, and M3
D2
M2 M3
S2 S3
17
RLR (cont’d) Update Blacklist by Broadcasted Packets
from Destinations under Attack Next hop on the false route will be put into local
blacklist, and a counter increases. The time duration that the host stays in blacklist increases exponentially to the counter value
When timer expires, the suspicious host will be released from the blacklist and routing information from it will be accepted
18
RLR: Deal With Hosts in Blacklist
Packets from hosts in blacklist Route request: If the request is from suspicious
hosts, ignore it Route reply: If the previous hop is suspicious
and the query destination is not the previous hop, the reply will be ignored
Route error: Will be processed as usual. RERR will activate re-discovery, which will help to detect attacks on destination sequence
Broadcast of INVALID packet: If the sender is suspicious, the packet will be processed but the blacklist will be ignored
19
Attacks of Malicious Hosts on RLR Attack 1: Malicious host M sends false
INVALID packet Because the INVALID packets are signed, it
cannot send the packets in other hosts’ name M sends INVALID in its own name
If the reported sequence number is greater than the real sequence number, every host ignores this attack
If the reported sequence number is less than the real sequence number, RLR will converge at the malicious host. M is included in blacklist of more hosts. M accelerated the intruder identification directing towards M
20
Attacks on RLR (cont’d)
Attack 2: Malicious host M frames other innocent hosts by sending false blacklist If the malicious host has been identified,
the blacklist will be updated If the malicious host has not been
identified, this operation can only make the threshold lower. If the threshold is selected properly, it will not impact the identification results
Combining trust can further limit the impact of this attack
21
Attacks on RLR (cont’d)
Attack 3: Malicious host M only sends false destination sequence about some special host The special host will detect the attack and send
INVALID packets Other hosts can establish new routes to the
destination by receiving the INVALID packets
22
Two Attacks in Collaboration: blackhole & replication
The RLR scheme cannot detect the two attacks working simultaneously
The malicious node M relies on the replicated neighboring nodes to avoid the blacklist
D4
D1
S3
S1
M
D3
S4
S2
D2
[M]
[M]
[M]
[M]
Replicated nodes
Regular nodes
23
Wormhole Attacks defense A pair of attackers can form a tunnel, fabricating a false scenario that a
short path between sender and receiver exists, and so packets go through a wormhole path being either compromised or dropped
In many routing protocols, mobile nodes depend on the neighbor discovery procedure to construct the local network topology
Wormhole attacks can harm some routing protocols by inducing a node to believe that a further away node is its neighbor
24
Wormhole Attacks: proposed defense mechanism
This is a preliminary mechanism to classify wormhole attacks in its various forms
It takes a more generic approach than previous work in the sense that it is end-to-end and does not rely on trust among neighbors
It assumes trust between sender and receiver only to detect wormhole attacks on a multi-hop route
Geographic information is used to detect anomalies in neighbor relation and node movements
25
Wormhole Attacks: proposed defense mechanism (cont’d)
The e2e mechanism can detect:
Closed wormhole Half open
wormhole Open wormhole
26
Wormhole Attacks: proposed defense mechanism (cont’d)
The approach requires considerable computation and storage power as periodical wormhole detection packets are transmitted and the response are used to compute nodes position, velocity etc
Because of that, an additional scheme called COTA is proposed to manage the detection information. It records and compares only a part of the <time, position> pairs
Using a suitable relaxation, COTA has the same detection capability as the end-to-end mechanism
27
Wormhole Attacks: proposed defense mechanism (cont’d)
Simulation evaluations: false positive with no attack
28
Wormhole Attacks: proposed defense mechanism (cont’d)
Simulation evaluations: false positive with attack
29
Sybil Attack Detection
A Hierarchical Architecture for Sybil Attack Detection
The Sybil attack is a harmful threat to sensor networks Sybil attack can disrupt multi-path routing
protocols by using a single node to present multiple identities for the multiple paths
Existing approaches are not oriented toward energy
30
Sybil Attack Detection: Proposed Method
Use identity certificates to defend against Sybil Use identity certificates to defend against Sybil attacksattacks
Each node is assigned some unique information by Each node is assigned some unique information by the setup serverthe setup server
The server then creates an identity certificate for The server then creates an identity certificate for each level-0 node binding this node’s identity to each level-0 node binding this node’s identity to the assigned unique informationthe assigned unique information
The group leader creates an identity certificate for its group member (level-1 node)
To securely demonstrate its identity, a node first presents its identity certificate, then it proves that it possesses the associated unique information
31
Sybil Attack Detection: System Assumption
Two types of nodes: Level-0 and level-1 nodes The distribution of level-0 nodes is roughly
uniform All nodes are preloaded with a global initial key
KI
Each node has a unique ID
Level-1 nodeLevel-0 node
32
Identity Certificate Generation for Level-0 Nodes
Each level-0 node g uses its key seed to generates N-1 key seeds. Ex. The key seed of node g for node f as
Node g generates a one-way key chain
The setup server first creates the low-level Merkle hash tree using the key chain commitment
The setup server then creates a high-level Merkle hash tree for level-0 nodes
flgK , = Kg,l + f
fgK 0,
fgK 1,
flgK ,, , …,
fgK 0,
Kg,l
33
Identity Certificate Generation for Level-0 Nodes (cont’d)
The setup server then downloads the identity certificate IDCertg and the label of the high-level Merkle tree’s root C to each level-0 node g IDCertg = <vg , AuthPathg>
Level-0 node g can create a low-level certificate for level-0 node f using the low-level Merkle hash tree : =< , AuthPathg,f>
fgIDCert fK f
g ||0,
34
An example of Two Levels of Merkle Hash Trees
C4
m1m2
m3 m4 m5 m6
C
u1u2
u3 u4 u5 u6
v1 v2 v3 v4 v5 v6 v7 v8
1||10.4K 2||2
0.4K 3||30.4K 5||5
0.4K 6||60.4K 7||7
0.4K 8||80.4K
Low-level Merkle hash tree
High-level Merkle hash tree
v4=H(C4||4)
3 1 2||u H v v
IDCertIDCert44 = < = <vv44, , AuthPathAuthPath44>>
AuthPathAuthPath44=={{vv33, u, u33, u, u22}}
2 2 14 4,0 4,0 4 2|| 2,{ ||1, , }IDCert K K m m
1 23 4,0 4,0||1|| || 2m H K K
35
Identity Certificate Generation for Level-1 Nodes
After deployment, the level-0 node g as the group leader starts the self-organization process
After the localized self-organization process, the group leader g stores its group member’s identity i and the key seed commitment Ki,0
36
Identity Verification After deployment, level-0 node g can prove
its identity to another level-0 node f on demand node g node f: <g|IDCertg| >
Indirect identity verification between the group members in the different groups Let node i and node k be neighboring nodes, but
belong to two different groups Node i can prove its identity to its group leader g Node k can prove its identity to its group leader f Group leaders g and f pass the verification
results to each other
fgIDCert
37
Secure Communication
IDCerti H(A1 , )j
iK 1,Round 0:
node i node j
IDCertj H(B1 , )ijK 1,
ijIDCert
jiIDCert
A1 H(A2 , )j
iK 2,Round 1:
B1 H(B2 , )ijK 2,
jiK 1,
ijK 1,
i
j
A2 H(A3 , )j
iK 3,Round 2:
B2 H(B3 , )ijK 3,
jiK 2,
ijK 2,
Intra-group exchanges
i and i same group In round 0, two
nodes i and j exchange their identity and identity certificates together with the hashes of their first messages
Then, they continue exchanging messages authentications with successive keys in their key chains
38
Secure Communication (cont’d)
node i node kA1 H(A2 , )
kiK 2,
Round 1:B1 H(B2 , )
ikK 2,
kiK 1,
ikK 1,
A2 H(A3 , )kiK 3,
Round 2:B2 H(B3 , )
ikK 3,
kiK 2,
ikK 2,
IDCerti H(A1 , )kiK 1,Round 0:
node i node gIDCertgigIDCert
giIDCerti
g
IDCertk H(B1 , )ikK 1,
node k node fIDCertfkfIDCert
fkIDCertk
f
IDCertg H(A1 , )kiK 1,
node g node f
fgIDCertg
IDCertf H(B1 , )ikK 1,
gfIDCertf
i
k
{
{
{
}
}
}
Inter-group exchanges
g and f group leaders
In round 0, two nodes i and k prove their identity to each other and exchange the hashes of their first messages through their group leaders
Then, they continue exchanging messages authentications with successive keys in their key chains
39
Performance Evaluation
0
20
40
60
80
100
120
140
160
0 500 1000 1500 2000 2500
Number of Sensor Nodes
Mem
ory
Usa
ge
(KB
)
HSybil-Level0
HSybil-Level1
Identity Certification Generation Tim e
0
0.5
1
1.5
2
2.5
0 20 40 60 80 100
Num ber of Nodes per Group
Tim
e (
s)
HSybil
Energy Consum ption for Identity Certificates Generation
0
10
20
30
40
50
60
0 20 40 60 80 100
Num ber of Nodes per Group
En
erg
y C
on
sum
pti
on
(m
J)
HSybil-Level0
HSybil-Level1
0
20
40
60
80
100
120
140
160
0 20 40 60 80 100
Number of Nodes per Group
Mem
ory
Usa
ge
(KB
)
HSybil-Level0
HSybil-Level1
40
Identity Certificate Generation for Level-1 Nodes (cont’d)
The group leader g first creates a low-level Merkle hash tree using the key chain commitment
The group leader g then creates a high-level Merkle hash tree for its group members
The group leader g then downloads the identity certificate IDCerti to each group member i
The group leader g downloads the low-level Merkle hash tree to each group member i
Then the group member i can create a low-level certificate for another group member j using the low-level Merkle hash tree
jiK 0,
41
Modeling Collaborative Attacks Attack graph
A general model technique used in assessing security vulnerabilities of a system and all possible sequences of exploits an intruder can take to achieve a specific goal
We are currently working on a modeling for collaborative graph attacks to identify not only sequence of exploits but also concurrent and collaborative exploits. This leads to our Causal Model
42
Causal model
Purposes: Identify all attacks events that occur during the
launch of individual and collaborative attacks
Establish a partial order (or causal relationship) among all attack events and produce a “causal attack graph”
Verify the security properties of the causal attack graph using model checking techniques.
Specifically, verify a sequence of events that lets the security checker proceeds from initial state to the goal state
43
Causal model (cont’d)
Identify the set of events that are critical to perform the attacks.
Specifically, investigate how to find a minimum set of events that, once removed, would disable the attacks
Determine whether the occurrences of some event/state transitions are based on message transmission or collaboration
Based on this, one can infer the degree of collaboration and temporal ordering in the system
44
Causal model (cont’d) A collaborative attack X can be modeled as a set of
attacks {Xi} such that Xi is the local attack launched by attacker n
Each local attack Xi is modeled by a FSM (finite state machine) and has independent state and event specifications, such as preconditions, postconditions, and state transition rules
In simple distributed attacks such as Distributed Denial-of-Service Attacks, the FSMs of each local attack can be the same. However, in sophisticated collaborative attacks, FSMs of local attacks are not necessarily homogeneous
Each local attack Xi can be formally defined as: <Sn, En, Mn, Ln>
Sn denotes a set of states in the local attack, En denotes a set of events in the local attack, Mn denotes a set of communication messages, and Ln denotes a set of local operations on Mn.
45
Causal model (cont’d)
In collaborative attacks, events in attacks occur in certain sequences. A sequence of attack events may cause more damage to the system than others
There are certain relationships among the events and we model the relationships by causal rules.
Definition of causal rules A causal rule U consists of <P, Q, A> P and Q are events A is one of the causal relationships (->, , - >)
46
Conclusions
Exciting area of research Modeling attacks in collaboration is a
very topical issue Tradeoff between accuracy and
computation inexpensiveness is critical
47
Future work
A lightweight learning toll is to be applied to enhance our current approaches
The remaining types of attacks will be addressed
Models for detecting attacks in collaboration are underway and the causal model will be evaluated in depth
General guidelines will be defined to protect ad hoc networks from potential attacks
More simulations and real life experiments
48
References (1)[BC03] P. Brutch and C. Ko, “Challenges in Intrusion Detection for Ad Hoc Networks,”
Proc. IEEE Workshop on Security and Assurance in Ad hoc Networks, Jan. 2003.
[BH83] B. Bhargava and C. Hua, “A Causal Model for Analyzing Distributed Concurrency Control Algorithms,” IEEE Transactions on Software Engineering, 1983.
[CT04] B. Culpepper, H. Tseng, “Sinkhole Intrusion Indicators in DSR MANETs,” Proc. Broadnet, 2004.
[DB05] S. Desilva and RV. Boppana, “Mitigating Malicious Control Packet Floods in Ad Hoc Networks,” Proc. IEEE Wireless Communications and Networking Conference, 2005.
[DETER] DETER: A Laboratory for Security Research, http://www.isi.edu/deter/. [Do02] J. Douceur, “The Sybil Attack,” Proc. IPTPS, Feb. 2002.[FQL06] H. Fu , S. Kawamura, and C. Li, “ Blom-based Q-composite: A Generalized
Framework of Random Key Pre-distribution Schemes for Wireless Sensor Networks,” Proc. IEEE International Conference on Intelligent Robots and Systems, Oct. 2006.
[HPJ03] Y.-C. Hu, A. Perrig and D. B. Johnson, “Packet Leashes: A Defense against Wormhole Attacks in Wireless Ad Hoc Networks,” Proc. INFOCOM, Apr 2003.
[HPJ03a] Y.-C. Hu, A. Perrig, and D. B. Johnson, “Rushing Attacks and Defense in Wireless Ad Hoc Network Routing Protocols,” ACM Workshop on Wireless Security (WiSe), Sep 2003.
[HL03] Y. Huang, W. Lee, “A cooperative intrusion detection system for ad hoc networks,” Proc. SASN, 2003.
[HPJ03] Y. Hu, A. Perrig, and D. Johnson, “Rushing Attacks and Defense in Wireless Ad Hoc Network Routing Protocols,” Proc. ACM workshop on Wireless Security (WiSe), 2003.
49
References (2)
[La78] L. Lamport, Time clocks, and the ordering of events in a distributed, system, Communication of ACM, vol.21, pp.558-564, July 1978.
[MGLB00] S. Marti, T. J. Giuli, K. Lai, and M. Baker, “Mitigating routing misbehavior in mobile ad hoc networks,” Proc. ACM/IEEE Internatl. Conference on Mobile Computing and Networking., 2000.
[MSPR05] J. M. McCune, E. Shi, A. Perrig and M. K.Reiter, “Detection of Denial-of-Message Attacks on Sensor Network Broadcasts,” Proc. IEEE Symposium on Security and Privacy, May 2005.
[MFMG05] K. Mandalas, D. Flitzanis, G. F. Marias, and P. Georgiadis, "A Survey of Several Cooperation Enforcement Schemes for MANETs," Proc. IEEE ISSPIT2005, Symposium on "Security and Privacy in Mobile and Wireless Computing, Dec. 2005,
[NM04] K. Nadkarni and A. Mishra, "A novel intrusion detection scheme for wireless ad hoc. networks,” Proc. IEEE WCNC’04, Mar., 2004.
[PPJK+05]A. Patwardhan, J. Parker, A. Joshi, A. Karygiannis and M. Iorga. "Secure Routing and Intrusion Detection in Ad Hoc Networks," Proc. third IEEE International Conference on Pervasive Computing and Communications, Mar. 2005.
[PM03] A. Patcha and A. Mishra, “Collaborative security architecture for black hole attack prevention in mobile ad hoc networks,” Proc. Radio and Wireless Conference RAWCON, Aug. 2003.
[QSL05] L. Qian, N. Song and X. Li, “Detecting and locating wormhole attacks in wireless ad hoc networks through statistical analysis of multi-path,” IEEE Wireless Communications and Networking Conference (WCNC), Mar. 2005.
50
References (3)
[RB05] R. Oliveira and T. Braun, "A Dynamic Adaptive Acknowledgment Strategy for TCP over Multihop Wireless Networks," Proc. IEEE INFOCOM, Mar.2005.
[RB07] R. Oliveira and T. Braun, "A Smart TCP Acknowledgment Approach for Multihop Wireless Networks," IEEE Transactions on Mobile Computing, Vol. 6, No. 2, pp. 192-205, Feb. 2007.
[RFKN05] S. Ramaswamy, H. Fu, and K. Nygard, “Effect of Cooperative Black Hole Attack on Mobile Ad Hoc Networks,” Proc. ICWN, Jun. 2005.
[SBCW05] D. Sterne, et al.,”A General Cooperative Intrusion Detection Architecture for MANETs,” Proc. Third IEEE IWIA’05, Mar. 2005.
[SLDL+05] K. Sanzgiri, D. LaFlamme, B. Dahill, B. Levine, C. Shields, and E. Belding-Royer, "Authenticated Routing for Ad hoc Networks," IEEE Journal on Selected Areas in Commun., pp. 598-610, 2005.
[Yi06] J. Yin, “Poblems and Solutions for Handling Attacks in Sensor Networks,” Ph.D. thesis, University of Missouri-Rolla, Dez. 2006.
[YML02] H. Yang, X. Meng, and S. Lu, “Self-organized network-layer security in mobile ad hoc networks,” Proc. ACM Workshop on Wireless Security (WiSe), 2002.
[WBLW06]W. Wang, B. Bhargava, Y. Lu, and X. Wu, “Defending against Wormhole Attacks in Mobile Ad Hoc Networks,” WCMC, vol. 6, issue 4, pp. 483-503, Jun. 2006.