evaluating the vulnerability of network traffic using joint security and routing analysis patrick...

Evaluating the Vulnerability of Network Traffic Using Joint Security and Routing Analysis

Patrick Tague, David Slater, and Radha Poovendran

Network Security Lab, Dept. of Electrical Engineering,University of Washington, Seattle, WA

In collaboration with:

Jason RogersNaval Research Laboratory

1/24/2008

Outline

Impact of Routing on Security in Ad Hoc Networks Identifying Cross-Layer Vulnerabilities

Quantifying Cross-Layer Vulnerabilities

Examples/Applications

2NSA Protocol eXchange Meeting – January 24, 2008

Navy Postgraduate School, Monterey, CA

1/24/2008

Securing Network Assets

How do we understand the impact of these attacks?



1/24/2008

Security is established per-hop (i.e. linksecurity) between neighboring nodes

Security is established per-hop (i.e. linksecurity) between neighboring nodes

Challenges in Establishing Ad Hoc

Network Security

Network protocols relyon local information and

peer cooperation

Network protocols relyon local information and

peer cooperation

Ad Hoc Networks consist ofresource-constrained nodeswith no global network view

Ad Hoc Networks consist ofresource-constrained nodeswith no global network view



1/24/2008

Per-hop security properties may not extend globally Data routed over multiple hops may traverse links that

are vulnerable to attack



Does the global exchange of data in networks using per-hop security weaken C/I? What

vulnerabilities are introduced?

How to evaluate confidentiality and/or integrity (C/I) of data traversing numerous links with

differing security properties?

Impact of Locality Constraints

1/24/2008

Goals of this Work

Investigate the impact of routing on data security built on per-hop security

Characterize & quantify the strength (weakness) of data security in multi-hop networks

Provide a basis for joint evaluation of security and routing protocols with respect to cross-layer network vulnerabilities



1/24/2008

Example 1: Fixed single-path routing

Binary characterization of data security, i.e. either secure or insecure



Impact of Routing on Security

Compromise of a single link leads to

recovery of all data.

s

d

1/24/2008

Example 2: Fixed multi-path routing

M-ary (fractional) metric for data security 2M possible values for data security


Fraction (1-f)

Fraction f


Navy Postgraduate School, Monterey, CA 8NSA Protocol eXchange Meeting – January 24, 2008


Compromise of a single link leads to

recovery of a fraction of data.

sd

1/24/2008

Example 3: Fixed multi-path routing with dependent packets (threshold sharing, network coding, etc.)




How to model routing/security interactions and provide a unified characterization of data security

for arbitrary topologies and routing protocols?

Compromise of a single link leads to no data recovery.

sd

1/24/2008

Modeling Interactions between Routing and Security

Gsd – labeled, directed graph representing data flow from s to d LSi – level of security

provided by link i Function of node

capabilities, crypto protocol, etc.

Varies between links Varies over time (e.g.

decreases with attack)



s

dGsd

LS1

LS4

LS6

LS5LS2

LS3

LS8

LS7

1/24/2008

Route Vulnerability Metric

Characterize data (in)security V(Gsd) – the route

vulnerability of the s-d flow Relative to a reference

state G0sd (e.g. prior to

attack) Varies continuously from

V(G0sd) = 0 to V(Gsd) = 1

as attack progresses



V(G

sd)

G0sd

As attack progresses

1

0

1/24/2008

Defining Route Vulnerability

Compose the labeled graph Gsd to an overall measure of data security Metric units are same as link labels

Ex: if link labels represent #shared keys securing the link, data security is equivalent #shared keys

Transform data security measure to satisfy requirements of route vulnerability



How do we define a composition rule for overall data security as a function of Gsd?

1/24/2008

Composition: Step I



s

d

Claim: All data in an s-d flow is compromised if and only if an edge cut of links in the s-d flow is compromised.

Composition - Step I: Map the routing topology to a collection of edge cuts

(noting forward- vs. reverse-flow edges).

1/24/2008

Composition: Step II



s

d

Analogy: Security measures resistance to attack, just as electric resistance measures resistance to current.

Composition - Step II: Map each edge cut to a (directed) resistive current path with zero resistance (unrestricted

flow) along reverse-flow edges.

1/24/2008

Composition: Step III



Circuit elements combine using the principle of superposition, but… We have directional current path constraints

which cannot be combined using superposition. Solution: Construct directed resistors!

Composition Step III: Replace each directed current path with a path of directed resistors and combine

into an electric circuit E using superposition.

R

0

R

Ideal diode

1/24/2008

Composition: Evaluation



s

d

2

2

1

132

212

1

11

3

2

1

1

2

2 2

1 12

3212

13

Composition Rule: Equivalent security of data is the equivalent resistance R(Gsd) of the

circuit E, referred to as the route resistance.

Edge mappingto resistors is

a 1-to-1 mapping

1/24/2008

Mapping to Electric Circuit

Circuit construction Efficient: edge cut decomposition not required

For planar graphs, the electric circuit is related to the planar dual of the graph Gsd

For non-planar graphs, circuit duality properties give alternate construction using Gsd

Properties “Weakest link” property of sequential links is

maintained (i.e. parallel), R1 || R2 ≤ min{R1,R2}

Additive security for disjoint paths (i.e. series)



1/24/2008

Circuit Theoretic Metric

To compute V(Gsd): Construct equivalent circuit E

Compute equivalent resistance R(Gsd)

Define V(Gsd) proportional to R(Gsd)-1

Linear (affine) transformation maps to [0,1] as a function of R(G0

sd)



1/24/2008

Application of Route Vulnerability Metric

Example: node capture attacks Active adversary eavesdrops, analyzes

network traffic, participates in protocols Data flow graph Gsd = Gsd(C)

C = set of captured nodes G0

sd = Gsd(ø) Link labels indicate number of shared keys providing

C/I for the link



1/24/2008

Node Capture Attacks using Route Vulnerability

Optimal node capture attack: Compute the set of nodes C s.t.

V(Gsd(C)) = 1 for all target s-d data flows cost(C) is minimized

Iterative Heuristic: Given C captured, choose n s.t.

Aggregate increase in vulnerability per-unit-cost for all target flows is maximized



1/24/2008

Examples to Illustrate Route Vulnerability Evaluation

An adversary can use the route vulnerability metric to improve attacks Allows cross-layer adversary to perform near-

optimal attack Examples:

Compromise of data integrity in target tracking Compromise of data confidentiality in distributed

content dissemination using network coding Simulation:

Compromise of data confidentiality in large-scale ad hoc network using random key assignment



1/24/2008

Example: Target Tracking Application

s1

s2

i7

d2

d1

i1

i6

i2

i4i5

i3

2

3

1

2

2

21

2

22

1 2

Goal: Compromise integrity of

alarm data Modify/erase alarm

signals to base nodes

Attack: Use V(Gsd) for single-path

routes to identify vulnerabilities

Heuristic algorithm Compromise link integrity

using recovered keys



1/24/2008

Example: Data Dissemination using Network Coding

s1

d3

i4 s3

i2i3

d2

s2

d4

i6

d1i1

i5

i7

Goal of attack: Compromise

confidentiality of data E.g. violation of user

privacy

Attack: Use V(Gsd) for dependent

data flow to identify vulnerabilities

Heuristic algorithm Compromise link integrity

using recovered keys



1/24/2008

Large-Scale Simulation Results

Comparison: Node capture attacks

using Random capture #Recovered keys #Compromised links Total traffic through

captured nodes Route Vulnerability

For Single path routing Dependent multi-path

routing



1/24/2008

Summary of Contributions

Impact of routing on security Route vulnerability metric

Provides insight into the impact of cross-layer adversaries

Allows for joint evaluation of security and routing protocols Exposes cross-layer vulnerabilities Can help determine suitable protocols for a given

application/deployment



1/24/2008

Thank you for your time & attention!



?

? ??

?

?

?Questions?

evaluating the vulnerability of network traffic using joint security and routing analysis patrick...

Documents