Detecting Spoofing and Anomalous Traffic in Wireless Networks via Forge-Resistant

Relationships

Qing Li and Wade TrappeIEEE Transactions on Information Forensics and Security, VOL. 2, No. 4, December 2007

Presented by: Ryan Yandle

Outline

Spoofing ORBIT Family 1 – Relationships via Auxiliary Fields

Method A – Sequence Number Method B – One-way chains

Family 2 – Relationships via Intrinsic Properties Method A – Interarrival time Method B – Joint Background Traffic and Interarrival time

Analysis Multilevel Classification Conclusion

What is Spoofing?

The practice of impersonating another entity in order to subvert security.

Spoofing allows the attacker to remain anonymous and undetected in the network.

More Specifically

This paper refers to MAC address spoofing. The attacker tries to gain access to the

WLAN by cloning the MAC address of a legitimate user.

What are Forge-Resistant Relationships?

Rules that govern the relationship between two distinct entities

These rules define the relationship such that another entity (attacker) trying to forge the relationship would be caught

Paper’s focus is to detect spoofing by creating these unique relationships

The ORBIT Wireless Test Bed

Composed of a 2d grid of wireless nodes

Jointly run by several schools in the NY/NJ area

Test Bed Setup

A – Legitimate Sender

B – Attacker

X – Monitor

Strategy Overview

Consider that the legitimate sender has a unique identity

Associated with their identity will be a particular sequence of packets

From these packets we may we may observe states

More Strategery…

A Relationship Consistency Check (RCC) is a binary rule that returns 1 if the states obey the rule R with respect to each other.

But…

Simply using a relationship R and checking the corresponding RCC at the monitoring device is not going to provide reliable security

We need to add forgeability requirements to the relationship

Thus, a RRCC (forge-resistant RCC) is needed

Definition of RRCC

A ε-forge-resistant relationship R is a rule governing the relationship between a set of states from a particular identity, for which there is a small probability of another device being able to forge a set of states such that a monitoring device would evaluate the corresponding RCC as 1.

More…

We will view the output of an RRCC as the result of deciding between two different hypotheses. H0 – the null hypothesis that corresponds to non-

suspicious activity H1 – the alternate hypothesis that corresponds to

anomalous behavior

Quantifying Effectiveness

We will use several measures to quantify the effectiveness of R. The probability of a false alarm

PFA = Pr(H1;H0) Probability that we will decide a set of states is

suspicious when it was really legitimate The probability of a missed detection

PMD = Pr(H0;H1) Probability of deciding that a set of states are

legitimate when they were not

Quantifying Effectiveness Cont.

The probability of detection PD = 1 – PMD

Other Symbols: ε = PMD

δ = PFA

Therefore, we can define an RRCC by (ε,δ)

Two Proposed Families for Relationships

1. Using auxiliary fields in the MAC frame to create a monotonic relationship

2. Using traffic inter-arrival statistics to detect anomalous traffic

Family I - Forge-Resistant Relationships via Auxiliary Fields

Method A Anomaly Detection via

Sequence Number Monotonicity Enforce a rule that requires

packet sequence numbers to follow a monotonic relationship, denoted as Rseq

802.11 MAC Frame Structure

Generally used to re-assemble fragmented frames or detect duplicate packets.

Fragment control – 4bits Sequence number – 12bits = 4096 possibilities

ranging from [0,4095] Firmware

Rseq

It does not matter if the attacker can manipulate its own sequence numbers.

Cloning attempt would be exposed due to duplicate sequence numbers

Therefore, the forge resistance stems from the fact that the attacker cannot stop the sender from transmitting packets.

Single Source Sequence Numbers

the difference in sequence numbers between two consecutive packets

The possible values for : [1, 4096] A value of 4096 is equivalent to a sequence number

difference of 0 (duplicate sequence numbers)

The mean distribution for is E[] = 1/(1-p)2

where p is the packet loss rate The variance for the distribution of is

σ = p/(1-p)22

Theoretical Packet Loss

Using the formula’s that we just learned, a theoretical transmission with packet loss of 50%: E[τ] = 2 στ = 1.41

Even for networks with poor connectivity, the difference in sequence numbers between successive packets will be relatively small

2

Dual Source Sequence Numbers

Let y be the sequence number from the real source

Let x be the sequence number from the attacker

z = x-y gives us a range of [-4095,4095] This gap will be defined as = z % 4096

Dual Source Cont.

If we then map a difference of 0 to 4096, we have a uniform distribution over [1,4096] E[] = 2048.5 σ = 1182

Single Source Behavior

A single node is transmitting packets using a specified MAC address to a receiver No anomalous behavior is present in this scenario

Dual Source Behavior

Two nodes using the same MAC address to transmit packets One node is spoofing the other’s MAC address

Lets build a detector…

We will define the RRCC detection scheme as follows:

Choose a window of packets coming from a specific MAC address

We will choose a window with size L The detector will calculate L-1 sequence number

gaps

More on the detector

The detector will determine that there is an anomaly if MAXl=1 to L-1 {l} >

is determined by solving for a desired false alarm rate

Example: L = 5 & = 3

1 2 3 76 5 7 8 9 10 11

1 73 71 2MAX{ }

73 73 > , RETURN(1)

Performance of Sequence Number Monotonicity

L = 2

Sequence Number Gap Statistics for a Single Source from ORBIT

When would this not work?

This method of detection could only work with a presence of heterogeneous sources; the legitimate device must be transmitting in order to reveal the anomaly.

Family I - Forge-Resistant Relationships via Auxiliary Fields

Method B One-way chain of

Temporary Identifiers The sender attaches a TIF

(temporary identifier field) to its identity, forcing the adversary to solve a cryptographic puzzle in order to spoof.

Temporary Identifier Fields

Similar to what was proposed in TESLA Compute a one-way chain of numbers, and

attach them to the frames in reverse order. In order for the attacker to spoof a message,

they would need to find the inverse of the function used to compute the one-way chain.

This method is loss-tolerant

ROC Curve for one-way chain TIF’s

Bit Length = 10 Bit Length = 16

Outline

Spoofing ORBIT Family 1 – Relationships via Auxiliary Fields

Method A – Sequence Number Method B – One-way chains

Family 2 – Relationships via Intrinsic Properties Method A – Interarrival time Method B – Joint Background Traffic and Interarrival time

Analysis Multilevel Classification Conclusion

Family II - Forge-Resistant Relationships via Intrinsic Properties Method A) Traffic Arrival

Consistency Checks Use a traffic shaping tool to

control the interarrival times observed by the monitoring device.

These interarrival statistics are then used to determine anomalous behavior

Traffic Arrival Consistency Checks

Suppose we have our three devices, A, B, X A is set to transmit at a fixed interval X will take note of this behavior, if B starts

transmitting (spoofing to impersonate A) then the detector will notice a change in the distribution of packet arrivals

Resulting Histograms

Experimental Results: 200ms

Experimental Results cont.

When would this method become unreliable on a wireless network?

With the presence of high background traffic, this method would become less suitable.

Background traffic would affect the transmission intervals of the sender, possibly causing false alarms.

Family II - Forge-Resistant Relationships via Intrinsic Properties Method B) Joint Traffic

Load and Interarrival Time Detector Jointly examine the

interarrvial time and the background traffic load

Use these two pieces of information to determine anomalous behavior, even under heavy traffic situations

Joint Traffic Load and Interarrival Time Detector

We can define to be the observed average interarrival time, and to be the observed traffic load.

We then partition this (, ) space into two regions Region I – non-suspicious behavior Region II – anomalous activity

This idea is later revisited in the experimental validation section.

Enhanced Detection using Multilevel Classification

Extremely useful to have a severity analysis Plot severity vs. average sequence number

gap of a particular window Severity is defined as the sum of the differences

between a normal gap and the observed gap for all gaps in a window size L

Severity vs. Average Sequence Number Gap

Conclusion

All methods have their flaws There are already mechanisms in place

within 802.11 that can help detect spoofing attacks

Thank you for your time!

Questions / Comments

Sequence Number Gap Statistics for Dual Source from ORBIT