evaluating the vulnerability of network traffic using joint security and routing analysis patrick...
TRANSCRIPT
Evaluating the Vulnerability of Network Traffic Using Joint Security and Routing Analysis
Patrick Tague, David Slater, and Radha Poovendran
Network Security Lab, Dept. of Electrical Engineering,University of Washington, Seattle, WA
In collaboration with:
Jason RogersNaval Research Laboratory
1/24/2008
Outline
Impact of Routing on Security in Ad Hoc Networks Identifying Cross-Layer Vulnerabilities
Quantifying Cross-Layer Vulnerabilities
Examples/Applications
2NSA Protocol eXchange Meeting – January 24, 2008
Navy Postgraduate School, Monterey, CA
1/24/2008
Securing Network Assets
How do we understand the impact of these attacks?
3NSA Protocol eXchange Meeting – January 24, 2008
Navy Postgraduate School, Monterey, CA
1/24/2008
Security is established per-hop (i.e. linksecurity) between neighboring nodes
Security is established per-hop (i.e. linksecurity) between neighboring nodes
Challenges in Establishing Ad Hoc
Network Security
Network protocols relyon local information and
peer cooperation
Network protocols relyon local information and
peer cooperation
Ad Hoc Networks consist ofresource-constrained nodeswith no global network view
Ad Hoc Networks consist ofresource-constrained nodeswith no global network view
4NSA Protocol eXchange Meeting – January 24, 2008
Navy Postgraduate School, Monterey, CA
1/24/2008
Per-hop security properties may not extend globally Data routed over multiple hops may traverse links that
are vulnerable to attack
5NSA Protocol eXchange Meeting – January 24, 2008
Navy Postgraduate School, Monterey, CA
Does the global exchange of data in networks using per-hop security weaken C/I? What
vulnerabilities are introduced?
How to evaluate confidentiality and/or integrity (C/I) of data traversing numerous links with
differing security properties?
Impact of Locality Constraints
1/24/2008
Goals of this Work
Investigate the impact of routing on data security built on per-hop security
Characterize & quantify the strength (weakness) of data security in multi-hop networks
Provide a basis for joint evaluation of security and routing protocols with respect to cross-layer network vulnerabilities
6NSA Protocol eXchange Meeting – January 24, 2008
Navy Postgraduate School, Monterey, CA
1/24/2008
Example 1: Fixed single-path routing
Binary characterization of data security, i.e. either secure or insecure
7NSA Protocol eXchange Meeting – January 24, 2008
Navy Postgraduate School, Monterey, CA
Impact of Routing on Security
Compromise of a single link leads to
recovery of all data.
s
d
1/24/2008
Example 2: Fixed multi-path routing
M-ary (fractional) metric for data security 2M possible values for data security
Impact of Routing on Security
Fraction (1-f)
Fraction f
8NSA Protocol eXchange Meeting – January 24, 2008
Navy Postgraduate School, Monterey, CA 8NSA Protocol eXchange Meeting – January 24, 2008
Navy Postgraduate School, Monterey, CA
Compromise of a single link leads to
recovery of a fraction of data.
sd
1/24/2008
Example 3: Fixed multi-path routing with dependent packets (threshold sharing, network coding, etc.)
9NSA Protocol eXchange Meeting – January 24, 2008
Navy Postgraduate School, Monterey, CA
Impact of Routing on Security
How to model routing/security interactions and provide a unified characterization of data security
for arbitrary topologies and routing protocols?
Compromise of a single link leads to no data recovery.
sd
1/24/2008
Modeling Interactions between Routing and Security
Gsd – labeled, directed graph representing data flow from s to d LSi – level of security
provided by link i Function of node
capabilities, crypto protocol, etc.
Varies between links Varies over time (e.g.
decreases with attack)
10NSA Protocol eXchange Meeting – January 24, 2008
Navy Postgraduate School, Monterey, CA
s
dGsd
LS1
LS4
LS6
LS5LS2
LS3
LS8
LS7
1/24/2008
Route Vulnerability Metric
Characterize data (in)security V(Gsd) – the route
vulnerability of the s-d flow Relative to a reference
state G0sd (e.g. prior to
attack) Varies continuously from
V(G0sd) = 0 to V(Gsd) = 1
as attack progresses
11NSA Protocol eXchange Meeting – January 24, 2008
Navy Postgraduate School, Monterey, CA
V(G
sd)
G0sd
As attack progresses
1
0
1/24/2008
Defining Route Vulnerability
Compose the labeled graph Gsd to an overall measure of data security Metric units are same as link labels
Ex: if link labels represent #shared keys securing the link, data security is equivalent #shared keys
Transform data security measure to satisfy requirements of route vulnerability
12NSA Protocol eXchange Meeting – January 24, 2008
Navy Postgraduate School, Monterey, CA
How do we define a composition rule for overall data security as a function of Gsd?
1/24/2008
Composition: Step I
13NSA Protocol eXchange Meeting – January 24, 2008
Navy Postgraduate School, Monterey, CA
s
d
Claim: All data in an s-d flow is compromised if and only if an edge cut of links in the s-d flow is compromised.
Composition - Step I: Map the routing topology to a collection of edge cuts
(noting forward- vs. reverse-flow edges).
1/24/2008
Composition: Step II
14NSA Protocol eXchange Meeting – January 24, 2008
Navy Postgraduate School, Monterey, CA
s
d
Analogy: Security measures resistance to attack, just as electric resistance measures resistance to current.
Composition - Step II: Map each edge cut to a (directed) resistive current path with zero resistance (unrestricted
flow) along reverse-flow edges.
1/24/2008
Composition: Step III
15NSA Protocol eXchange Meeting – January 24, 2008
Navy Postgraduate School, Monterey, CA
Circuit elements combine using the principle of superposition, but… We have directional current path constraints
which cannot be combined using superposition. Solution: Construct directed resistors!
Composition Step III: Replace each directed current path with a path of directed resistors and combine
into an electric circuit E using superposition.
R
0
R
Ideal diode
1/24/2008
Composition: Evaluation
16NSA Protocol eXchange Meeting – January 24, 2008
Navy Postgraduate School, Monterey, CA
s
d
2
2
1
132
212
1
11
3
2
1
1
2
2 2
1 12
3212
13
Composition Rule: Equivalent security of data is the equivalent resistance R(Gsd) of the
circuit E, referred to as the route resistance.
Edge mappingto resistors is
a 1-to-1 mapping
1/24/2008
Mapping to Electric Circuit
Circuit construction Efficient: edge cut decomposition not required
For planar graphs, the electric circuit is related to the planar dual of the graph Gsd
For non-planar graphs, circuit duality properties give alternate construction using Gsd
Properties “Weakest link” property of sequential links is
maintained (i.e. parallel), R1 || R2 ≤ min{R1,R2}
Additive security for disjoint paths (i.e. series)
17NSA Protocol eXchange Meeting – January 24, 2008
Navy Postgraduate School, Monterey, CA
1/24/2008
Circuit Theoretic Metric
To compute V(Gsd): Construct equivalent circuit E
Compute equivalent resistance R(Gsd)
Define V(Gsd) proportional to R(Gsd)-1
Linear (affine) transformation maps to [0,1] as a function of R(G0
sd)
18NSA Protocol eXchange Meeting – January 24, 2008
Navy Postgraduate School, Monterey, CA
1/24/2008
Application of Route Vulnerability Metric
Example: node capture attacks Active adversary eavesdrops, analyzes
network traffic, participates in protocols Data flow graph Gsd = Gsd(C)
C = set of captured nodes G0
sd = Gsd(ø) Link labels indicate number of shared keys providing
C/I for the link
19NSA Protocol eXchange Meeting – January 24, 2008
Navy Postgraduate School, Monterey, CA
1/24/2008
Node Capture Attacks using Route Vulnerability
Optimal node capture attack: Compute the set of nodes C s.t.
V(Gsd(C)) = 1 for all target s-d data flows cost(C) is minimized
Iterative Heuristic: Given C captured, choose n s.t.
Aggregate increase in vulnerability per-unit-cost for all target flows is maximized
20NSA Protocol eXchange Meeting – January 24, 2008
Navy Postgraduate School, Monterey, CA
1/24/2008
Examples to Illustrate Route Vulnerability Evaluation
An adversary can use the route vulnerability metric to improve attacks Allows cross-layer adversary to perform near-
optimal attack Examples:
Compromise of data integrity in target tracking Compromise of data confidentiality in distributed
content dissemination using network coding Simulation:
Compromise of data confidentiality in large-scale ad hoc network using random key assignment
21NSA Protocol eXchange Meeting – January 24, 2008
Navy Postgraduate School, Monterey, CA
1/24/2008
Example: Target Tracking Application
s1
s2
i7
d2
d1
i1
i6
i2
i4i5
i3
2
3
1
2
2
21
2
22
1 2
Goal: Compromise integrity of
alarm data Modify/erase alarm
signals to base nodes
Attack: Use V(Gsd) for single-path
routes to identify vulnerabilities
Heuristic algorithm Compromise link integrity
using recovered keys
22NSA Protocol eXchange Meeting – January 24, 2008
Navy Postgraduate School, Monterey, CA
1/24/2008
Example: Data Dissemination using Network Coding
s1
d3
i4 s3
i2i3
d2
s2
d4
i6
d1i1
i5
i7
Goal of attack: Compromise
confidentiality of data E.g. violation of user
privacy
Attack: Use V(Gsd) for dependent
data flow to identify vulnerabilities
Heuristic algorithm Compromise link integrity
using recovered keys
23NSA Protocol eXchange Meeting – January 24, 2008
Navy Postgraduate School, Monterey, CA
1/24/2008
Large-Scale Simulation Results
Comparison: Node capture attacks
using Random capture #Recovered keys #Compromised links Total traffic through
captured nodes Route Vulnerability
For Single path routing Dependent multi-path
routing
24NSA Protocol eXchange Meeting – January 24, 2008
Navy Postgraduate School, Monterey, CA
1/24/2008
Summary of Contributions
Impact of routing on security Route vulnerability metric
Provides insight into the impact of cross-layer adversaries
Allows for joint evaluation of security and routing protocols Exposes cross-layer vulnerabilities Can help determine suitable protocols for a given
application/deployment
25NSA Protocol eXchange Meeting – January 24, 2008
Navy Postgraduate School, Monterey, CA