security (models) - fields institute · the dns is used on the internet to correlate between ip...
TRANSCRIPT
![Page 1: Security (Models) - Fields Institute · The DNS is used on the Internet to correlate between IP address and readable names. Resolver (part of system sending queries) is on the client](https://reader034.vdocument.in/reader034/viewer/2022042220/5ec6e4b0da2f42743f39ed2b/html5/thumbnails/1.jpg)
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 1
Security (Models):
Prospects, Perspectives,
DirectionsBy
Evangelos KranakisSchool of Computer Science
Carleton University
Fields Institute Workshop on New Directions in Cryptography, U of Ottawa 2008
![Page 2: Security (Models) - Fields Institute · The DNS is used on the Internet to correlate between IP address and readable names. Resolver (part of system sending queries) is on the client](https://reader034.vdocument.in/reader034/viewer/2022042220/5ec6e4b0da2f42743f39ed2b/html5/thumbnails/2.jpg)
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 2
A Fundamental Question
• Privacy:Preventing the unauthorized extraction of information fromcommunications over an insecure channel.
• Can two people that have never met before create and share asecret key?
Fields Institute Workshop on New Directions in Cryptography, U of Ottawa 2008
![Page 3: Security (Models) - Fields Institute · The DNS is used on the Internet to correlate between IP address and readable names. Resolver (part of system sending queries) is on the client](https://reader034.vdocument.in/reader034/viewer/2022042220/5ec6e4b0da2f42743f39ed2b/html5/thumbnails/3.jpg)
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 3
1975: A Defining Moment
A private conversation between two people with no prioracquaintance is a common occurrence in business, however,and it is unrealistic to expect initial business contacts to bepostponed long enough for keys to be transmitted by somephysical means.
W. Diffie and M. E. HellmanNew Directions in Cryptography, 1976
IEEE Information Theory Workshop, Lenox MA, 1975
Fields Institute Workshop on New Directions in Cryptography, U of Ottawa 2008
![Page 4: Security (Models) - Fields Institute · The DNS is used on the Internet to correlate between IP address and readable names. Resolver (part of system sending queries) is on the client](https://reader034.vdocument.in/reader034/viewer/2022042220/5ec6e4b0da2f42743f39ed2b/html5/thumbnails/4.jpg)
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 4
How about Security?
• What is security?
• What is the fundamental question?
• Why is it such a complex subject?
Fields Institute Workshop on New Directions in Cryptography, U of Ottawa 2008
![Page 5: Security (Models) - Fields Institute · The DNS is used on the Internet to correlate between IP address and readable names. Resolver (part of system sending queries) is on the client](https://reader034.vdocument.in/reader034/viewer/2022042220/5ec6e4b0da2f42743f39ed2b/html5/thumbnails/5.jpg)
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 5
What is the Fundamental Question?
• There isn’t any fundamental question!
• Better yet, there are too many questions!
• Why?
Fields Institute Workshop on New Directions in Cryptography, U of Ottawa 2008
![Page 6: Security (Models) - Fields Institute · The DNS is used on the Internet to correlate between IP address and readable names. Resolver (part of system sending queries) is on the client](https://reader034.vdocument.in/reader034/viewer/2022042220/5ec6e4b0da2f42743f39ed2b/html5/thumbnails/6.jpg)
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 6
What is Security
IT Physical Political Other . . .
Computer Airport State Banking . . .
Data Home International Financial . . .
Information Food National Passports . . .
Network Power Plant Military Health . . ....
......
......
Fields Institute Workshop on New Directions in Cryptography, U of Ottawa 2008
![Page 7: Security (Models) - Fields Institute · The DNS is used on the Internet to correlate between IP address and readable names. Resolver (part of system sending queries) is on the client](https://reader034.vdocument.in/reader034/viewer/2022042220/5ec6e4b0da2f42743f39ed2b/html5/thumbnails/7.jpg)
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 7
A Complex Dynamic System
Security studies often require deep analysis using a complexdynamic system whose behavior cannot be described withjust a few parameters!
Fields Institute Workshop on New Directions in Cryptography, U of Ottawa 2008
![Page 8: Security (Models) - Fields Institute · The DNS is used on the Internet to correlate between IP address and readable names. Resolver (part of system sending queries) is on the client](https://reader034.vdocument.in/reader034/viewer/2022042220/5ec6e4b0da2f42743f39ed2b/html5/thumbnails/8.jpg)
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 8
Security Models
• A security model is a theoretical construct that represents asituation, with a set of variables and a set of logical andquantitative relationships between them in order to facilitatethe study of security.
• Limitations of Models
– You curb the number of parameters to solve the problem,and your solution is likely irrelevant!
– You enlarge the pool to include most relevant parameters,and a solution becomes infeasible!
Fields Institute Workshop on New Directions in Cryptography, U of Ottawa 2008
![Page 9: Security (Models) - Fields Institute · The DNS is used on the Internet to correlate between IP address and readable names. Resolver (part of system sending queries) is on the client](https://reader034.vdocument.in/reader034/viewer/2022042220/5ec6e4b0da2f42743f39ed2b/html5/thumbnails/9.jpg)
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 9
Every Model has a Story to Tell
• BGP Routing
• (?) Zero Day Worms
• Device Authentication
• Active Worm Containment
• (?) Barrier Coverage in Sensor Networks
• (?) Best Effort
• (?) Conclusion
Fields Institute Workshop on New Directions in Cryptography, U of Ottawa 2008
![Page 10: Security (Models) - Fields Institute · The DNS is used on the Internet to correlate between IP address and readable names. Resolver (part of system sending queries) is on the client](https://reader034.vdocument.in/reader034/viewer/2022042220/5ec6e4b0da2f42743f39ed2b/html5/thumbnails/10.jpg)
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 10
A bit philosophical...before we start!
...Philosophy is written in the grand book–I mean theuniverse–which stands continuously open to our gaze, but itcannot be understood unless one first learns to comprehendthe language and intercept the characters in which it iswritten, it is written in the language of Mathematics, andits characters are...
Gallileo Gallilei, Il Saggiatore, 1623
Fields Institute Workshop on New Directions in Cryptography, U of Ottawa 2008
![Page 11: Security (Models) - Fields Institute · The DNS is used on the Internet to correlate between IP address and readable names. Resolver (part of system sending queries) is on the client](https://reader034.vdocument.in/reader034/viewer/2022042220/5ec6e4b0da2f42743f39ed2b/html5/thumbnails/11.jpg)
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 11
Models
for Zero Day
Worms
(with D. Whyte, P. Van Oorschot, NDSS 2005)
Fields Institute Workshop on New Directions in Cryptography, U of Ottawa 2008
![Page 12: Security (Models) - Fields Institute · The DNS is used on the Internet to correlate between IP address and readable names. Resolver (part of system sending queries) is on the client](https://reader034.vdocument.in/reader034/viewer/2022042220/5ec6e4b0da2f42743f39ed2b/html5/thumbnails/12.jpg)
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 12
The Problem
• A Zero day worm is a previously-unknown computer malwarefor which antivirus software signatures are not yet available.
• Scanning worm propagation can occur extremely fast: Slammerinfected 90% of vulnerable Internet hosts in less than 10 mins.
• Automated countermeasures are required for wormcontainment and suppression
• Worm propagation detection methods are usually limited by
– Speed of detection
– Inability to detect zero-day worms
– Inability to detect slow scanning worms
– High false positive rate
Fields Institute Workshop on New Directions in Cryptography, U of Ottawa 2008
![Page 13: Security (Models) - Fields Institute · The DNS is used on the Internet to correlate between IP address and readable names. Resolver (part of system sending queries) is on the client](https://reader034.vdocument.in/reader034/viewer/2022042220/5ec6e4b0da2f42743f39ed2b/html5/thumbnails/13.jpg)
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 13
Affecting Enterprise Networks
Internet
Cell 2
Router
DNS Server Firewall
Enterprise Network
Fields Institute Workshop on New Directions in Cryptography, U of Ottawa 2008
![Page 14: Security (Models) - Fields Institute · The DNS is used on the Internet to correlate between IP address and readable names. Resolver (part of system sending queries) is on the client](https://reader034.vdocument.in/reader034/viewer/2022042220/5ec6e4b0da2f42743f39ed2b/html5/thumbnails/14.jpg)
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 14
How to discover Worms
• Identifying large flows in real time with small amounts ofmemory
• Counting the number of sources and destinations
• Determining scanning by counting the number of connectionsattempts to unused portions of the IP address
Fields Institute Workshop on New Directions in Cryptography, U of Ottawa 2008
![Page 15: Security (Models) - Fields Institute · The DNS is used on the Internet to correlate between IP address and readable names. Resolver (part of system sending queries) is on the client](https://reader034.vdocument.in/reader034/viewer/2022042220/5ec6e4b0da2f42743f39ed2b/html5/thumbnails/15.jpg)
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 15
Scanning Worm Characteristics
• Scanning worms can employ a variety of strategies to infectsystems
– Topological scanning
– Slow scanning
– Fast scanning
• So far, all make use of pseudo random generated 32-bitnumbers to determine their targets
• The use of numeric IP addresses does not require a DNSlookup (Violation of typical network behavior (i.e. DNS).)
Fields Institute Workshop on New Directions in Cryptography, U of Ottawa 2008
![Page 16: Security (Models) - Fields Institute · The DNS is used on the Internet to correlate between IP address and readable names. Resolver (part of system sending queries) is on the client](https://reader034.vdocument.in/reader034/viewer/2022042220/5ec6e4b0da2f42743f39ed2b/html5/thumbnails/16.jpg)
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 16
Cells in Enterpirse Networks
Internet
Cell 3
Cell 2
Cell 1
Router
DNS Server DNS Server
Firewall
Enterprise Network
Router Switch
DNS Server
Fields Institute Workshop on New Directions in Cryptography, U of Ottawa 2008
![Page 17: Security (Models) - Fields Institute · The DNS is used on the Internet to correlate between IP address and readable names. Resolver (part of system sending queries) is on the client](https://reader034.vdocument.in/reader034/viewer/2022042220/5ec6e4b0da2f42743f39ed2b/html5/thumbnails/17.jpg)
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 17
Queries/Answers in a DNS
The DNS is used on the Internet to correlate between IP addressand readable names.
Resolver (part of system sending queries) is on the client side of theconfiguration. The name server answers the queries.
Fields Institute Workshop on New Directions in Cryptography, U of Ottawa 2008
![Page 18: Security (Models) - Fields Institute · The DNS is used on the Internet to correlate between IP address and readable names. Resolver (part of system sending queries) is on the client](https://reader034.vdocument.in/reader034/viewer/2022042220/5ec6e4b0da2f42743f39ed2b/html5/thumbnails/18.jpg)
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 18
DNS-based Scanning Worm Detection Approach
• Inline network device
• Divide network into cells
• Gather DNS requests, embedded IPs in HTTP requests
• Construct a candidate connection list (CCL) respecting Timeto Live (TTLs)
• Observe outgoing connections
• Those outgoing connections not matching an entry in the CCLgenerate an alert
Fields Institute Workshop on New Directions in Cryptography, U of Ottawa 2008
![Page 19: Security (Models) - Fields Institute · The DNS is used on the Internet to correlate between IP address and readable names. Resolver (part of system sending queries) is on the client](https://reader034.vdocument.in/reader034/viewer/2022042220/5ec6e4b0da2f42743f39ed2b/html5/thumbnails/19.jpg)
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 19
Training Period and Rapid Response
• Technique can be used to rapidly determine if a host within anenterprise network is trying to infect external systems
• Anomaly-based “training period” required to generatewhitelists
• Whitelists are valid non-DNS using protocols/activities
• Detects local to remote (L2R) and local to local (L2L)inter-cell propagation
Fields Institute Workshop on New Directions in Cryptography, U of Ottawa 2008
![Page 20: Security (Models) - Fields Institute · The DNS is used on the Internet to correlate between IP address and readable names. Resolver (part of system sending queries) is on the client](https://reader034.vdocument.in/reader034/viewer/2022042220/5ec6e4b0da2f42743f39ed2b/html5/thumbnails/20.jpg)
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 20
Anomaly-based Worm Detection Advantages
• Detection of zero-day worms / attack tools
• Detection of low and slow attacks - no threshold
• Low maintenance
• Relies on observation of a protocol found in all networks
Fields Institute Workshop on New Directions in Cryptography, U of Ottawa 2008
![Page 21: Security (Models) - Fields Institute · The DNS is used on the Internet to correlate between IP address and readable names. Resolver (part of system sending queries) is on the client](https://reader034.vdocument.in/reader034/viewer/2022042220/5ec6e4b0da2f42743f39ed2b/html5/thumbnails/21.jpg)
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 21
Limitations
• Will not detect intra-cell propagation
• Open networks cause large whitelists and the potential for falsenegatives
• Will not detect network share traversal propagation or massmailing worms
• Automated scanning/attack tool false positives
Fields Institute Workshop on New Directions in Cryptography, U of Ottawa 2008
![Page 22: Security (Models) - Fields Institute · The DNS is used on the Internet to correlate between IP address and readable names. Resolver (part of system sending queries) is on the client](https://reader034.vdocument.in/reader034/viewer/2022042220/5ec6e4b0da2f42743f39ed2b/html5/thumbnails/22.jpg)
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 22
Extending the idea: Normal Hosts...
Internet
Router
DNSMail
Normal Host
Enterprise Network
1 Email Request3 Email
2 MX Query
Fields Institute Workshop on New Directions in Cryptography, U of Ottawa 2008
![Page 23: Security (Models) - Fields Institute · The DNS is used on the Internet to correlate between IP address and readable names. Resolver (part of system sending queries) is on the client](https://reader034.vdocument.in/reader034/viewer/2022042220/5ec6e4b0da2f42743f39ed2b/html5/thumbnails/23.jpg)
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 23
...and Spammers
Internet
Mail Server(Open Relay)
Spammer
Spam
Mail Server
Mail Server
Mail Server
Spam Recipient
Fields Institute Workshop on New Directions in Cryptography, U of Ottawa 2008
![Page 24: Security (Models) - Fields Institute · The DNS is used on the Internet to correlate between IP address and readable names. Resolver (part of system sending queries) is on the client](https://reader034.vdocument.in/reader034/viewer/2022042220/5ec6e4b0da2f42743f39ed2b/html5/thumbnails/24.jpg)
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 24
...and Multiple DNS
The additional DNS servers could themselves form a network
Fields Institute Workshop on New Directions in Cryptography, U of Ottawa 2008
![Page 25: Security (Models) - Fields Institute · The DNS is used on the Internet to correlate between IP address and readable names. Resolver (part of system sending queries) is on the client](https://reader034.vdocument.in/reader034/viewer/2022042220/5ec6e4b0da2f42743f39ed2b/html5/thumbnails/25.jpg)
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 25
Extensions
• ARP-based detection of scanning worms in an enterprisenetwork
• Detection of Mass-mailing worm detection
• DNS-based selection and filtering
• Automated attack tool detection
• Covert communication detection
Fields Institute Workshop on New Directions in Cryptography, U of Ottawa 2008
![Page 26: Security (Models) - Fields Institute · The DNS is used on the Internet to correlate between IP address and readable names. Resolver (part of system sending queries) is on the client](https://reader034.vdocument.in/reader034/viewer/2022042220/5ec6e4b0da2f42743f39ed2b/html5/thumbnails/26.jpg)
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 26
Optimal Movement of
Mobile Sensors for Barrier
Coverage of a Planar Region(with Bhattacharya, Burmester, Hu, Shi, Wiese, COCOA 2008)
Fields Institute Workshop on New Directions in Cryptography, U of Ottawa 2008
![Page 27: Security (Models) - Fields Institute · The DNS is used on the Internet to correlate between IP address and readable names. Resolver (part of system sending queries) is on the client](https://reader034.vdocument.in/reader034/viewer/2022042220/5ec6e4b0da2f42743f39ed2b/html5/thumbnails/27.jpg)
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 27
The Problem: Intrusion Detection
• Intrusion detection and border surveillance are importantapplications for wireless sensor networks.
• A major goal in these applications is to detect intruders.
• This is accomplished by appropriate coverage.
• Washington Post, Thursday, February 28, 2008
– Project 28
– U.S. Retooling High-Tech Barrier After 28-Mile PilotProject Fails
– Virtual Fence Along Border To Be Delayed
Fields Institute Workshop on New Directions in Cryptography, U of Ottawa 2008
![Page 28: Security (Models) - Fields Institute · The DNS is used on the Internet to correlate between IP address and readable names. Resolver (part of system sending queries) is on the client](https://reader034.vdocument.in/reader034/viewer/2022042220/5ec6e4b0da2f42743f39ed2b/html5/thumbnails/28.jpg)
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 28
Types of Coverage
• There are two types of Coverage:
– Full Coverage
– Barrier Coverage
Fields Institute Workshop on New Directions in Cryptography, U of Ottawa 2008
![Page 29: Security (Models) - Fields Institute · The DNS is used on the Internet to correlate between IP address and readable names. Resolver (part of system sending queries) is on the client](https://reader034.vdocument.in/reader034/viewer/2022042220/5ec6e4b0da2f42743f39ed2b/html5/thumbnails/29.jpg)
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 29
On Full Coverage (1/3)
• A major goal of full coverage is to detect the presence ofintruders in a given protected area.
• This type of coverage is referred to as (full) coverage, where thesensors cover fully a region.
• A given region is said to be k-fully covered by a sensor networkif every point inside the region is covered by (i.e., is within therange of) at least k sensors.
• k is a safety parameter that assumes an appropriate value.
Fields Institute Workshop on New Directions in Cryptography, U of Ottawa 2008
![Page 30: Security (Models) - Fields Institute · The DNS is used on the Internet to correlate between IP address and readable names. Resolver (part of system sending queries) is on the client](https://reader034.vdocument.in/reader034/viewer/2022042220/5ec6e4b0da2f42743f39ed2b/html5/thumbnails/30.jpg)
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 30
On Full Coverage (2/3)
Assume the region is a unit square.
Partition it into subsquares.
Fields Institute Workshop on New Directions in Cryptography, U of Ottawa 2008
![Page 31: Security (Models) - Fields Institute · The DNS is used on the Internet to correlate between IP address and readable names. Resolver (part of system sending queries) is on the client](https://reader034.vdocument.in/reader034/viewer/2022042220/5ec6e4b0da2f42743f39ed2b/html5/thumbnails/31.jpg)
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 31
On Full Coverage (3/3)
Throw sensors randomly and independently.
Fields Institute Workshop on New Directions in Cryptography, U of Ottawa 2008
![Page 32: Security (Models) - Fields Institute · The DNS is used on the Internet to correlate between IP address and readable names. Resolver (part of system sending queries) is on the client](https://reader034.vdocument.in/reader034/viewer/2022042220/5ec6e4b0da2f42743f39ed2b/html5/thumbnails/32.jpg)
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 32
Questions about Full Coverage
• Have you accomplished full coverage?
• Have you accomplished k-full coverage?
• For a given range r > 0 of the sensors:Are n sensors enough? With high probability?
Fields Institute Workshop on New Directions in Cryptography, U of Ottawa 2008
![Page 33: Security (Models) - Fields Institute · The DNS is used on the Internet to correlate between IP address and readable names. Resolver (part of system sending queries) is on the client](https://reader034.vdocument.in/reader034/viewer/2022042220/5ec6e4b0da2f42743f39ed2b/html5/thumbnails/33.jpg)
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 33
On Barrier Coverage (1/3)
• A major goal in barrier coverage is to detect intruders as theycross a border or as they penetrate a protected area.
• This type of coverage is referred to as barrier coverage, sincethe sensors form a barrier for the intruders.
• A given belt region is said to be k-barrier covered by a sensornetwork if all crossing paths through the region are k-covered,where a crossing path is any path that crosses the width of theregion completely.
• k is a safety parameter that assumes an appropriate value.
Fields Institute Workshop on New Directions in Cryptography, U of Ottawa 2008
![Page 34: Security (Models) - Fields Institute · The DNS is used on the Internet to correlate between IP address and readable names. Resolver (part of system sending queries) is on the client](https://reader034.vdocument.in/reader034/viewer/2022042220/5ec6e4b0da2f42743f39ed2b/html5/thumbnails/34.jpg)
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 34
On Barrier Coverage (2/3)
Assume the region is a unit square.
Partition “the perimeter” into subsquares.
Fields Institute Workshop on New Directions in Cryptography, U of Ottawa 2008
![Page 35: Security (Models) - Fields Institute · The DNS is used on the Internet to correlate between IP address and readable names. Resolver (part of system sending queries) is on the client](https://reader034.vdocument.in/reader034/viewer/2022042220/5ec6e4b0da2f42743f39ed2b/html5/thumbnails/35.jpg)
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 35
On Barrier Coverage (3/3)
Throw sensors randomly and independently.
Fields Institute Workshop on New Directions in Cryptography, U of Ottawa 2008
![Page 36: Security (Models) - Fields Institute · The DNS is used on the Internet to correlate between IP address and readable names. Resolver (part of system sending queries) is on the client](https://reader034.vdocument.in/reader034/viewer/2022042220/5ec6e4b0da2f42743f39ed2b/html5/thumbnails/36.jpg)
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 36
Questions about Barrier Coverage
• Have you accomplished barrier coverage?
• Have you accomplished k-barrier coverage?
• For a given range r > 0 of the sensors:Are n sensors enough? With high probability?
Fields Institute Workshop on New Directions in Cryptography, U of Ottawa 2008
![Page 37: Security (Models) - Fields Institute · The DNS is used on the Internet to correlate between IP address and readable names. Resolver (part of system sending queries) is on the client](https://reader034.vdocument.in/reader034/viewer/2022042220/5ec6e4b0da2f42743f39ed2b/html5/thumbnails/37.jpg)
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 37
Intruder Detection
Suppose that sensors are already placed in a region.
Fields Institute Workshop on New Directions in Cryptography, U of Ottawa 2008
![Page 38: Security (Models) - Fields Institute · The DNS is used on the Internet to correlate between IP address and readable names. Resolver (part of system sending queries) is on the client](https://reader034.vdocument.in/reader034/viewer/2022042220/5ec6e4b0da2f42743f39ed2b/html5/thumbnails/38.jpg)
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 38
Intruder Detection
Can an intruder penetrate the region undetected?
• A natural question then is how does one determine theminimum number of sensors to deploy to have k-barriercoverage in a given belt region?
• And, how does one determine, after deploying sensors in aregion, whether the region is indeed k-barrier covered?
Fields Institute Workshop on New Directions in Cryptography, U of Ottawa 2008
![Page 39: Security (Models) - Fields Institute · The DNS is used on the Internet to correlate between IP address and readable names. Resolver (part of system sending queries) is on the client](https://reader034.vdocument.in/reader034/viewer/2022042220/5ec6e4b0da2f42743f39ed2b/html5/thumbnails/39.jpg)
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 39
Intruder Detection
S. Kumar,T. H. Lai, A. Arora in MobiCom 2005:
• establish equivalence conditions between k-barrier coverage andexistence of node-disjoint paths between two vertices in a graph
• prove that when deploying sensors deterministically, theoptimal deployment pattern to achieve k-barrier coverage is todeploy k-rows of sensors on the shortest path across the lengthof the belt region such that consecutive sensors sensing disksabut each other.
Related to Menger’s theorem (1927): Let G be an undirectedgraph and x, y two nonadjacent vertices. Then the size of theminimum vertex cut for x and y (the minimum number of verticeswhose removal disconnects x and y) is equal to the maximumnumber of pairwise vertex-independent paths from x to y.
Fields Institute Workshop on New Directions in Cryptography, U of Ottawa 2008
![Page 40: Security (Models) - Fields Institute · The DNS is used on the Internet to correlate between IP address and readable names. Resolver (part of system sending queries) is on the client](https://reader034.vdocument.in/reader034/viewer/2022042220/5ec6e4b0da2f42743f39ed2b/html5/thumbnails/40.jpg)
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 40
Intruder Detection
Suppose that sensors are already placed in a circular region.
Fields Institute Workshop on New Directions in Cryptography, U of Ottawa 2008
![Page 41: Security (Models) - Fields Institute · The DNS is used on the Internet to correlate between IP address and readable names. Resolver (part of system sending queries) is on the client](https://reader034.vdocument.in/reader034/viewer/2022042220/5ec6e4b0da2f42743f39ed2b/html5/thumbnails/41.jpg)
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 41
Intruder Detection
Is intrusion possible?
Fields Institute Workshop on New Directions in Cryptography, U of Ottawa 2008
![Page 42: Security (Models) - Fields Institute · The DNS is used on the Internet to correlate between IP address and readable names. Resolver (part of system sending queries) is on the client](https://reader034.vdocument.in/reader034/viewer/2022042220/5ec6e4b0da2f42743f39ed2b/html5/thumbnails/42.jpg)
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 42
Similar Questions
• Can an intruder penetrate the region undetected?
– A natural question then is how does one determine theminimum number of sensors to deploy to have k-barriercoverage in a given belt region?
– And, how does one determine, after deploying sensors in aregion, whether the region is indeed k-barrier covered?
• Lex Schrijver (1991) proved necessary and sufficient conditionsfor the existence of pairwise vertex disjoint simple closed curves“homotopic” to given closed curves.
• Resulting complexity bounds are hard to determine: thisindicates the problem is hardly closed!
Fields Institute Workshop on New Directions in Cryptography, U of Ottawa 2008
![Page 43: Security (Models) - Fields Institute · The DNS is used on the Internet to correlate between IP address and readable names. Resolver (part of system sending queries) is on the client](https://reader034.vdocument.in/reader034/viewer/2022042220/5ec6e4b0da2f42743f39ed2b/html5/thumbnails/43.jpg)
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 43
Mobile Sensors: Changing the Model
• Previous models are static.
• Assuming
– the sensors are mobile, and
– the set of sensors does not barrier cover a region
• How do we move the sensors optimally so as to provide thebest possible barrier coverage?
What do we mean and why do we care about optimality?
Fields Institute Workshop on New Directions in Cryptography, U of Ottawa 2008
![Page 44: Security (Models) - Fields Institute · The DNS is used on the Internet to correlate between IP address and readable names. Resolver (part of system sending queries) is on the client](https://reader034.vdocument.in/reader034/viewer/2022042220/5ec6e4b0da2f42743f39ed2b/html5/thumbnails/44.jpg)
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 44
Placing Robots in the Perimeter
A
B
C
D
A"
A
B
B'
C
C'
D
D'
Four sensors A,B, C, D located in the interior of a disk move tonew positions A′, B′, C ′, D′ towards the perimeter of the disk sothat A′B′C ′D′ forms a regular 4-gon.
Fields Institute Workshop on New Directions in Cryptography, U of Ottawa 2008
![Page 45: Security (Models) - Fields Institute · The DNS is used on the Internet to correlate between IP address and readable names. Resolver (part of system sending queries) is on the client](https://reader034.vdocument.in/reader034/viewer/2022042220/5ec6e4b0da2f42743f39ed2b/html5/thumbnails/45.jpg)
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 45
Mobile Sensor Barrier Coverage
• n given sensors located inside a circle and starting in positions
A1, A2, . . . , An
move to new positions
A′1, A
′2, . . . , A
′n,
respectively.
• To optimize barrier coverage every sensor moves from itscurrent position Ai to a new position A′
i so that the newpositions A′
1, A′2, . . . , A
′n form the corners of a regular n-gon.
• The distance from Ai to A′i is d(Ai, A
′i).
Fields Institute Workshop on New Directions in Cryptography, U of Ottawa 2008
![Page 46: Security (Models) - Fields Institute · The DNS is used on the Internet to correlate between IP address and readable names. Resolver (part of system sending queries) is on the client](https://reader034.vdocument.in/reader034/viewer/2022042220/5ec6e4b0da2f42743f39ed2b/html5/thumbnails/46.jpg)
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 46
Two Objectives
• Min-Sum: Minimize the sumn∑
i=1
d(Ai, A′i). (1)
• Min-Max: Minimize the maximum:
nmaxi=1
d(Ai, A′i). (2)
It is clear that in each case the function is minimized when eachsensor moves to its new position in a straight line.
Fields Institute Workshop on New Directions in Cryptography, U of Ottawa 2008
![Page 47: Security (Models) - Fields Institute · The DNS is used on the Internet to correlate between IP address and readable names. Resolver (part of system sending queries) is on the client](https://reader034.vdocument.in/reader034/viewer/2022042220/5ec6e4b0da2f42743f39ed2b/html5/thumbnails/47.jpg)
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 47
Formalities
• Let the n sensors have coordinates Ai = (ai, bi), fori = 1, 2, . . . , n.
• Let us parametrize the regular polygon with respect to theangle of rotation, say θ.
• The n vertices of the regular n-gon that lie on the perimeter ofthe disk can be described by
(ai(θ), bi(θ)) = (cos(θ + (i− 1)2π/n), sin(θ + (i− 1)2π/n)),
for i = 1, 2, . . . , n), respectively.
Fields Institute Workshop on New Directions in Cryptography, U of Ottawa 2008
![Page 48: Security (Models) - Fields Institute · The DNS is used on the Internet to correlate between IP address and readable names. Resolver (part of system sending queries) is on the client](https://reader034.vdocument.in/reader034/viewer/2022042220/5ec6e4b0da2f42743f39ed2b/html5/thumbnails/48.jpg)
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 48
Minimizing the Sum
• We are interested in minimizing the sum
Sn(σ, θ) :=n∑
i=1
√(ai − aσ(i)(θ)
)2 +(bi − bσ(i)(θ)
)2 (3)
as a function of the angle θ and permutation σ.
• The optimization problem is
minσ,θ
Sn(σ, θ). (4)
Fields Institute Workshop on New Directions in Cryptography, U of Ottawa 2008
![Page 49: Security (Models) - Fields Institute · The DNS is used on the Internet to correlate between IP address and readable names. Resolver (part of system sending queries) is on the client](https://reader034.vdocument.in/reader034/viewer/2022042220/5ec6e4b0da2f42743f39ed2b/html5/thumbnails/49.jpg)
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 49
Minimizing the Max
• We are interested in minimizing a maximum
Mn(σ, θ) := max1≤i≤n
√(ai − aσ(i)(θ)
)2 +(bi − bσ(i)(θ)
)2 (5)
as a function of the angle θ and permutation σ.
• The optimization problem is
minσ,θ
Mn(σ, θ). (6)
Fields Institute Workshop on New Directions in Cryptography, U of Ottawa 2008
![Page 50: Security (Models) - Fields Institute · The DNS is used on the Internet to correlate between IP address and readable names. Resolver (part of system sending queries) is on the client](https://reader034.vdocument.in/reader034/viewer/2022042220/5ec6e4b0da2f42743f39ed2b/html5/thumbnails/50.jpg)
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 50
Summary of Results
• Min-Max optimization problem can be solved
– 1D: optimally in O(n) time
– 1.5D: optimally in O(n) time, and
– 2D: optimally in O(n4 log n) time.
• Min-Sum optimization problem can be solved
– 1D: optimally in O(n) time,
– 1.5D: optimally in O(n) time, and
– 2D: 1 + ε approximation algorithm in time O( 1ε n4).
Fields Institute Workshop on New Directions in Cryptography, U of Ottawa 2008
![Page 51: Security (Models) - Fields Institute · The DNS is used on the Internet to correlate between IP address and readable names. Resolver (part of system sending queries) is on the client](https://reader034.vdocument.in/reader034/viewer/2022042220/5ec6e4b0da2f42743f39ed2b/html5/thumbnails/51.jpg)
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 51
Open Problems
1. Can we solve the min-sum problem in polynomial time?
2. Can we improve existing results?
3. Different variants of the problem on simple polygons andregions:
• regions with holes,
• sensor placements,
• Are some of them NP-hard?
4. Can we Improve
• Motion model?
• Network model?
• Communication model?
Fields Institute Workshop on New Directions in Cryptography, U of Ottawa 2008
![Page 52: Security (Models) - Fields Institute · The DNS is used on the Internet to correlate between IP address and readable names. Resolver (part of system sending queries) is on the client](https://reader034.vdocument.in/reader034/viewer/2022042220/5ec6e4b0da2f42743f39ed2b/html5/thumbnails/52.jpg)
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 52
Best Effort
Models
Fields Institute Workshop on New Directions in Cryptography, U of Ottawa 2008
![Page 53: Security (Models) - Fields Institute · The DNS is used on the Internet to correlate between IP address and readable names. Resolver (part of system sending queries) is on the client](https://reader034.vdocument.in/reader034/viewer/2022042220/5ec6e4b0da2f42743f39ed2b/html5/thumbnails/53.jpg)
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 53
The Problem
• For a given security scenario what is the best you can do so asto optimize the security performance?
Fields Institute Workshop on New Directions in Cryptography, U of Ottawa 2008
![Page 54: Security (Models) - Fields Institute · The DNS is used on the Internet to correlate between IP address and readable names. Resolver (part of system sending queries) is on the client](https://reader034.vdocument.in/reader034/viewer/2022042220/5ec6e4b0da2f42743f39ed2b/html5/thumbnails/54.jpg)
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 54
Detect Presence of Malicious Packets in a Network
a
malicious packetnormal packet
t
a is the attack node (from which an attack is initiated).
t is the targeted node (affected by the attack).
Fields Institute Workshop on New Directions in Cryptography, U of Ottawa 2008
![Page 55: Security (Models) - Fields Institute · The DNS is used on the Internet to correlate between IP address and readable names. Resolver (part of system sending queries) is on the client](https://reader034.vdocument.in/reader034/viewer/2022042220/5ec6e4b0da2f42743f39ed2b/html5/thumbnails/55.jpg)
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 55
Mathematized Intrusion Detection
Problem:
• Intruder sends malicious packets to a given node.
• How do you detect malicious packets with packet-sampling?
What does detection entail?
• Only a portion of “flowing” packets in designated links can besampled.
• Examination may involve
– specific packet header fields,
– other data content details.
And the sampling costs?
• Must be kept low!
Fields Institute Workshop on New Directions in Cryptography, U of Ottawa 2008
![Page 56: Security (Models) - Fields Institute · The DNS is used on the Internet to correlate between IP address and readable names. Resolver (part of system sending queries) is on the client](https://reader034.vdocument.in/reader034/viewer/2022042220/5ec6e4b0da2f42743f39ed2b/html5/thumbnails/56.jpg)
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 56
Intruder’s Problem
t
a
Intruder’s Strategy:pick a path on which the malicious packet will be sent!
Defender’s Strategy:pick a sampling rate on the network links!
Fields Institute Workshop on New Directions in Cryptography, U of Ottawa 2008
![Page 57: Security (Models) - Fields Institute · The DNS is used on the Internet to correlate between IP address and readable names. Resolver (part of system sending queries) is on the client](https://reader034.vdocument.in/reader034/viewer/2022042220/5ec6e4b0da2f42743f39ed2b/html5/thumbnails/57.jpg)
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 57
Defender’s (i.e., Internet Provider) Problem
t
a
cut
Sample links that belong to an a− t mincut!
Fields Institute Workshop on New Directions in Cryptography, U of Ottawa 2008
![Page 58: Security (Models) - Fields Institute · The DNS is used on the Internet to correlate between IP address and readable names. Resolver (part of system sending queries) is on the client](https://reader034.vdocument.in/reader034/viewer/2022042220/5ec6e4b0da2f42743f39ed2b/html5/thumbnails/58.jpg)
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 58
Capacity, Flow, and Sampling
t
a
e
A given link e is associated with:
• ce: capacity,
• fe: flow,
• se: sampling rate.
Fields Institute Workshop on New Directions in Cryptography, U of Ottawa 2008
![Page 59: Security (Models) - Fields Institute · The DNS is used on the Internet to correlate between IP address and readable names. Resolver (part of system sending queries) is on the client](https://reader034.vdocument.in/reader034/viewer/2022042220/5ec6e4b0da2f42743f39ed2b/html5/thumbnails/59.jpg)
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 59
Players and Available Information
• Defender:
– The defender has complete knowledge of the network.
– The defender is an internet provider, and can get thisinformation from the Link State Routing Protocol.
• Intruder:
– The intruder may or may not be able to have completeknowledge of the network.
– However, the most powerful intruder is one that also hascomplete knowledge of the network.
Fields Institute Workshop on New Directions in Cryptography, U of Ottawa 2008
![Page 60: Security (Models) - Fields Institute · The DNS is used on the Internet to correlate between IP address and readable names. Resolver (part of system sending queries) is on the client](https://reader034.vdocument.in/reader034/viewer/2022042220/5ec6e4b0da2f42743f39ed2b/html5/thumbnails/60.jpg)
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 60
What are the Costs?
Probability of Detection in a Link e:
pe := Pr[detecting a malicious packet at link e] = se/fe
Probability of Detection in a Path P from a to t:
1−∏e∈P
(1− pe)
Within Budget B: ∑e∈E
se ≤ B.
If you think of pe as the sampling probabilities then the budgetconstraint becomes ∑
e∈E
fe · pe ≤ B.
Fields Institute Workshop on New Directions in Cryptography, U of Ottawa 2008
![Page 61: Security (Models) - Fields Institute · The DNS is used on the Internet to correlate between IP address and readable names. Resolver (part of system sending queries) is on the client](https://reader034.vdocument.in/reader034/viewer/2022042220/5ec6e4b0da2f42743f39ed2b/html5/thumbnails/61.jpg)
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 61
Determining the Payoffs
Let P(a, t) be the set of paths from a to t. The intruder has aprobability distribution q(P ) over paths P ∈ P(a, t) such that∑
P∈P(a,t)
q(P ) = 1,
i.e., q(P ) is the probability that path P ∈ P(a, t) is selected.
For a given path P ∈ P(a, t), the expected number of times apacket is detected is equal to ∑
e∈P
pe.
Expected number of times packet is detected as it moves from s to t∑P∈P(a,t)
q(P )∑e∈P
pe
Fields Institute Workshop on New Directions in Cryptography, U of Ottawa 2008
![Page 62: Security (Models) - Fields Institute · The DNS is used on the Internet to correlate between IP address and readable names. Resolver (part of system sending queries) is on the client](https://reader034.vdocument.in/reader034/viewer/2022042220/5ec6e4b0da2f42743f39ed2b/html5/thumbnails/62.jpg)
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 62
Objectives and Payoffs
Intruder: chooses a distribution q :=< q(P ) : P ∈ P(a, t) > overthe paths so as to minimize the maximum possible detection
minq
maxp
∑P∈P(a,t)
q(P )∑e∈P
pe
Defender: chooses sampling distribution p :=< pe : e ∈ E > overthe links so as to maximize the minimum possible detection
maxp
minq
∑P∈P(a,t)
q(P )∑e∈P
pe
Min-Max: There exists an optimal solution that is achieved when
minq
maxp
∑P∈P(a,t)
q(P )∑e∈P
pe = maxp
minq
∑P∈P(a,t)
q(P )∑e∈P
pe
We do not know how to find such “equilibrium” strategies!
Fields Institute Workshop on New Directions in Cryptography, U of Ottawa 2008
![Page 63: Security (Models) - Fields Institute · The DNS is used on the Internet to correlate between IP address and readable names. Resolver (part of system sending queries) is on the client](https://reader034.vdocument.in/reader034/viewer/2022042220/5ec6e4b0da2f42743f39ed2b/html5/thumbnails/63.jpg)
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 63
Intruder’s Optimal Strategy
Given the network flow f :=< fe : e ∈ E >
1. Find the maximum flow Ma,t(f) from a to t.
2. Decompose the maximum flow into flows on paths
P1, P2, . . . , Pl,
with flows m1,m2, . . . ,ml, respectively. Note that
l∑i=1
mi = Ma,t(f).
3. The intruder sends malicicious packet along path Pi
which maximizesmi
Ma,t(f).
Fields Institute Workshop on New Directions in Cryptography, U of Ottawa 2008
![Page 64: Security (Models) - Fields Institute · The DNS is used on the Internet to correlate between IP address and readable names. Resolver (part of system sending queries) is on the client](https://reader034.vdocument.in/reader034/viewer/2022042220/5ec6e4b0da2f42743f39ed2b/html5/thumbnails/64.jpg)
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 64
Defender’s Optimal Strategy
Given the network flow f :=< fe : e ∈ E >
1. Find the links e1, e2, . . . , er of a minimum cut flow, say
fe1 , fe2 , . . . , fer .
Note thatr∑
i=1
fei= Ma,t(f).
2. The defender samples links e1, e2, . . . , er at the rate
B · fei
Ma,t(f)
Fields Institute Workshop on New Directions in Cryptography, U of Ottawa 2008
![Page 65: Security (Models) - Fields Institute · The DNS is used on the Internet to correlate between IP address and readable names. Resolver (part of system sending queries) is on the client](https://reader034.vdocument.in/reader034/viewer/2022042220/5ec6e4b0da2f42743f39ed2b/html5/thumbnails/65.jpg)
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 65
Conclusion
Fields Institute Workshop on New Directions in Cryptography, U of Ottawa 2008
![Page 66: Security (Models) - Fields Institute · The DNS is used on the Internet to correlate between IP address and readable names. Resolver (part of system sending queries) is on the client](https://reader034.vdocument.in/reader034/viewer/2022042220/5ec6e4b0da2f42743f39ed2b/html5/thumbnails/66.jpg)
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 66
Metaphysics and Empiricism
• Metaphysics is the branch of philosophy concerned withunderstanding existence and knowledge.
• Empiricism (Eµπειρισµos) is a theory of knowledgeemphasizing the role of experience in the formation of ideas,while discounting the notion of innate ideas.
Fields Institute Workshop on New Directions in Cryptography, U of Ottawa 2008
![Page 67: Security (Models) - Fields Institute · The DNS is used on the Internet to correlate between IP address and readable names. Resolver (part of system sending queries) is on the client](https://reader034.vdocument.in/reader034/viewer/2022042220/5ec6e4b0da2f42743f39ed2b/html5/thumbnails/67.jpg)
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 67
John Locke and State of Mind
• John Locke (Aug 29, 1632 to Oct 28, 1704) considered the firstof the British Empiricists, important to social contract theory.
• He postulated that the mind was a “blank slate” and contraryto Cartesian or Christian philosophy, Locke maintained thatpeople are born without “inborn” ideas.
Fields Institute Workshop on New Directions in Cryptography, U of Ottawa 2008
![Page 68: Security (Models) - Fields Institute · The DNS is used on the Internet to correlate between IP address and readable names. Resolver (part of system sending queries) is on the client](https://reader034.vdocument.in/reader034/viewer/2022042220/5ec6e4b0da2f42743f39ed2b/html5/thumbnails/68.jpg)
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 68
Locke, Darwin, Metaphysics,...,and Baboons
...He who understands baboon will do more towardunderstanding metaphysics than Locke.
Darwin, August 16, 1838
Fields Institute Workshop on New Directions in Cryptography, U of Ottawa 2008
![Page 69: Security (Models) - Fields Institute · The DNS is used on the Internet to correlate between IP address and readable names. Resolver (part of system sending queries) is on the client](https://reader034.vdocument.in/reader034/viewer/2022042220/5ec6e4b0da2f42743f39ed2b/html5/thumbnails/69.jpg)
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 69
Security Metaphysics
Pessimist:
...He who understands human behavior will do more towardunderstanding security than any mathematical model...
Optimist:
...He who understands mathematical models will do moretoward understanding security than any security analyst...
Fields Institute Workshop on New Directions in Cryptography, U of Ottawa 2008
![Page 70: Security (Models) - Fields Institute · The DNS is used on the Internet to correlate between IP address and readable names. Resolver (part of system sending queries) is on the client](https://reader034.vdocument.in/reader034/viewer/2022042220/5ec6e4b0da2f42743f39ed2b/html5/thumbnails/70.jpg)
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 70
Related Literature
F. Akujobi, I. Lambadaris, E. Kranakis, Endpoint-Driven IntrusionDetection and Containment of Fast Spreading Worms in EnterpriseNetworks, In Proceedings of MILCOM 2007, Oct 29-31.
M. Barbeau, J. Hall, E. Kranakis, Detecting Impersonation Attacksin Future Wireless and Mobile Networks, In proceedings ofMADNES 2005
M. Kodialam, T. V. Lakshman, Detecting Network Intrusions viaSampling: A Game Theoretic Approach, INFOCOMM 2003.
D. Whyte, E. Kranakis, P. Van Oorschot, DNS-based Detection ofScanning Worms in an Enterprise Network, NDSS 05.
B. Bhattacharya, M. Burmester, Y. Hu, E. Kranakis, Q. Shi, A.Wiese, Optimal Movement of Mobile Sensors for Barrier Coverageof a Planar Region. COCOA’08
Fields Institute Workshop on New Directions in Cryptography, U of Ottawa 2008