Secure Routing and Intrusion Detection For Mobile Ad Hoc Networks

Secure Routing and Intrusion Detection For Mobile Ad Hoc Networks

Anand PatwardhanJim ParkerAnupam Joshi

Michaela IorgaTom Karygiannis

National Institutefor Standards

and Technology

National Institutefor Standards

and Technology

March 10, 2005March 10, 2005Kauai Island, HawaiiKauai Island, Hawaii

March 10, 2005March 10, 2005Kauai Island, HawaiiKauai Island, Hawaii

ChallengesChallenges• Wireless communication

• Short range (802.11, Bluetooth etc.)• Open medium

• Identification and Authentication• PKI based solutions infeasible• No prior trust relationships

• Routing• Based on dynamic cooperative peer relations• Key to survival of MANET

• Device constraints• Power Conservation• Finite Storage• Computation power

AODVAODV

• Ad hoc On-demand Distance Vector routing protocol

• All up to date routes are not maintained at every node

• Minimizes number of broadcasts by creating routes on-demand

• Routes are created as and when required

• Route remains valid until destination is unreachable or the route is no longer needed

• Adaptation to dynamic link conditions

• Low processing and Memory Overhead

• Low Network Utilization

AODV MessagingAODV Messaging

• Source Node – node originating routing request

• Destination Node – sends route reply

• Sequence Numbers – used to avoid loops/replay

• Route Request – route discovery message

• Route Reply – destination to source message

• Route Error – destination node unreachable

• Intermediate Node Path List – list of nodes traversed along message path

AttacksAttacks

• Attacks can be broadly classified into• Routing disruption attacks• Resource consumption attacks• Attacks on data traffic

• Objective: Isolate and deny resources to intrusive and/or chronically faulty nodes

Routing disruptionsRouting disruptions

• Malicious nodes may:• convince nodes that it is routing packets to

the correct destination when it is not,• fabricate route-maintenance messages,• refuse to forward or simply drop packets,• spoof routing addresses,• and/or modify messages.

Secure Routing in MANETsSecure Routing in MANETs

• Each node is a Router• Identification and Authentication

• Statistically Unique and Cryptographically Verifiable (SUCV) identifiers

• No prior trust relationships required• Large address space of IPv6 suitable for

SUCVs• Secure binding between IPv6 address and

Public key

Secure Routing in MANETsSecure Routing in MANETs

• Routing state• Additional fields in control messages to protect data

• SUCV: IPv6 address and Public Key• Secure binding, computationally infeasible to compute

private key in order to spoof• Routing messages protected against mangling and

masquerading

Binding IP Address and RSA Public Key

2003:13:0:0:16ba:ae7f:8aea:dab3 2003:33:0:0:31ba:af0f:82ea:a0bIP: IP:64-bit Network Specific ID 64-bit Hash of Public

Key

64-bit Hash of Public Key

64-bit Network Specific ID

RSA Public Key RSA Public Key

Signature Signature

MESSAGE: MESSAGE:

Securing the IPv6 AODVSecuring the IPv6 AODV

• Wired Networks– Traffic monitoring at routers, gateways,

firewalls– Static routes– Physical security

• MANETs– Mobile nodes– Other radio interference– Reliance on cooperative mechanisms for

routing– Intrusion detection limited to devices within

radio-range

Intrusion DetectionIntrusion Detection

• Identity– Use SUCVs

• Mobility– False positives

• Scalability– Large radio-ranges or dense networks

• Aggregation of data– Communicate intrusions data to warn others

Intrusion Detection ChallengesIntrusion Detection Challenges

Packet ForwardingPacket Forwarding

A

C

B

Datagram dgram_in has:Source IPv6 address, x U – {B,C}Destination IPv6 address, y U – {B,C} MAC source, mac(u), u U – {B,C}MAC destination, mac(B)

Corresponding dgram_out must have:Source IPv6 address, xDestination IPv6 address, yMAC source, mac(B)MAC destination, mac(u), u ε U – {B,C}

dgram_in dgram_out

Stateful Packet MonitoringStateful Packet Monitoring

AODV TCP

IPv6

Ethernet Frame

{ RREQ, RREP, RERR }{ TCP Sequence no., TCP checksum }

Updatein-memoryHash table

Build andMaintainNeighbor table(mac, ipv6) pairsAnd route status

From the packet capture library (pcap)

Packets that should be forwarded

Example ScenarioExample Scenario

• Active Response

• Nodes send out accusations on events that they directly observe

• Accusations are signed so accuser is accountable

• No Hearsay is propagated

• All nodes have same information on which to base decisions

• Combine cross layer evidence to evaluate trust between MANET nodes

• Design and develop a secure trust routing protocol

Future WorkFuture Work

Additional InformationAdditional Information

• UMBC• http://ebiquity.umbc.edu

• NIST• http://csrc.nist.gov/manet